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Abstract. We present a formalization of a version of Abadi and Plotkin's logic for para- 
metricity for a polymorphic dual intuitionistic/linear type theory with fixed points, and 
show, following Plotkin's suggestions, that it can be used to define a wide collection of 
types, including existential types, inductive types, coinductive types and general recursive 
types. We show that the recursive types satisfy a universal property called dinaturality, 
and we develop reasoning principles for the constructed types. In the case of recursive 
types, the reasoning principle is a mixed induction/coinduction principle, with the curious 
property that coinduction holds for general relations, but induction only for a limited col- 
lection of "admissible" relations. A similar property was observed in Pitts' 1995 analysis 
of recursive types in domain theory. In a future paper we will develop a category theoretic 
notion of models of the logic presented here, and show how the results developed in the 
logic can be transferred to the models. 



Introduction 

In 1983 Reynolds argued that parametric models of the second-order lambda calculus 
are very useful for modeling data abstraction in programming |Rey83| (see also |Pie02] for 
a recent textbook description). For real programming, one is of course not just interested 
in a strongly terminating calculus such as the second-order lambda calculus, but also in a 
language with full recursion. Thus in loc. cit. Reynolds also asked for a parametric domain- 
theoretic model of polymorphism. Informally, what is meant ReyOO| by this is a model 



of an extension of the polymorphic lambda calculus |Rey74 IGir72j . with a polymorphic 
fixed-point operator Y : Ma. (a — a) — > a such that 

(1) types are modeled as domains, the sublanguage without polymorphism is modeled 
in the standard way and Ya is the least fixed-point operator for the domain ct; 
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(2) the logical relations theorem (also known as the abstraction theorem) is satisfied 
when the logical relations are admissible, i.e., strict and closed under limits of chains; 

(3) every value in the domain representing some polymorphic type is parametric in the 
sense that it satisfies the logical relations theorem (even if it is not the interpretation 
of any expression of that type). 

Of course, this informal description leaves room for different formalizations of the prob- 
lem. Even so, it has proved to be a non-trivial problem. Unpublished work of Plotkin [Plo93] 
indicates one way to solve the problem model-theoretically by using strict, admissible par- 
tial equivalence relations over a domain model of the untyped lambda calculus but, as far 
as we know, the details of this relationally parametric model have not been worked out in 
the literature. 

From a type theoretical perspective parametric polymorphism is interesting because it 
allows for encodings of a large collection of types from a small number of constructions. 
For example adding parametric polymorphism as a reasoning principle to the second-order 
lambda calculus gives encodings of products, coproducts, existential types and general in- 
ductive and coinductive types from just — >■ and polymorphism |PA931 Bg05| . 

This strength of the typing system also complicates matters when adding recursion. 
Simply adding a polymorphic fixed point combinator to parametric second order lambda 
calculus would give a type theory with coproducts, products, function spaces and fixed 
points, a combination known to exist only in the trivial case of all types being isomorphic 
|HP90| . Inspired by domain theory Plotkin suggested to consider a polymorphic dual in- 
tuitionistic/linear lambda calculus and restrict the parametricity principle accordingly to 
give encodings of coproducts and (co-)inductive types in the linear part of the calculus 
but not the intuitionistic part. Moreover, the existence of fixed points would provide so- 
lutions to general recursive type equations using Freyd's theory of algebraically compact 
categories [Fre90b| IFre90al IFre91j . This led Plotkin to argue that such a calculus could 
serve as a very powerful metalanguage for domain theory. 

Thus parametric domain-theoretic models of polymorphic intuitionistic / linear lambda 
calculus are of importance both from a programming language perspective (for modeling 
data abstraction) and from a purely domain-theoretic perspective. 

Recently, Pitts and coworkers |BPROO| have presented a syntactic approach to Reynolds' 
challenge, where the notion of domain is essentially taken to be equivalence classes of terms 
modulo a particular notion of contextual equivalence derived from an operational semantics 
for a language called Lily, which is essentially polymorphic intuitionistic/linear lambda 
calculus endowed with an operational semantics. 

In parallel with the work presented here, Rosolini and Simpson [RS04| have shown 
how to construct parametric domain-theoretic models using synthetic domain-theory in 
intuitionistic set-theory. Moreover, they have shown how to give a computationally adequate 
denotational semantics of Lily. 

This paper presents a formalization of Abadi &: Plotkin's logic adapted to the case of 
Polymorphic Intuitionistic/Linear Lambda calculus with a polymorphic fixed point combi- 
nator denoted Y — a language which we shall call PILLy. PILLy is a simple extension of 
Barber and Plotkin's dual intuitionistic/linear lambda calculus (DILL) with polymorphism 
and fixed points. By dual we mean that terms have two contexts of term variables: an 
intuitionistic and a linear one. 

Linear Abadi-Plotkin Logic (LAPL) presented in this paper is a logic for reasoning 
about parametricity for PILLy. As mentioned above, for the logic to be consistent, the 
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parametricity principle has to be restricted in some way, so that it can be used to prove 
universal properties in the category of linear terms, but not in the category of intuitionistic 
terms. To achieve this restriction, LAPL is equipped with a notion of admissible relation, 
and the parametricity principle is formulated using these relations only. Admissible relations 
form a subset of the set of definable relations between types, and the prime example of an 
admissible relation in the logic is the graph of a linear function, whereas the prime example 
of a relation that is not admissible in general is the graph of an intuitionistic function. 

Using the logic, we show how Plotkin's encodings of a large collection of datatypes 
satisfy the usual universal properties with respect to linear maps in the calculus, up to 
provability in the logic. In the case of inductive types this means showing that the encodings 
give initial algebras for certain functors induced by types, for coinductive types we get final 
coalgebras, and for the general recursive types, the encodings give initial dialgebras for the 
bifunctors induced by type expressions. These results were sketched by Plotkin in |Plo93j . 
but since the proofs are non-trivial and have never appeared in the literature we include 
them here. We treat recursive types in full generality, meaning that we treat recursive types 
with parameters showing that nested recursive types can be modeled. 

We also present reasoning principles for the constructed types. Using parametricity we 
get an induction principle for inductive types holding only for admissible relations. For the 
coinductive types we get a coinduction principle holding for all relations. These results are 
extended to recursive types giving a mixed induction/coinduction principle in which the 
induction part holds for admissible relations only, but the coinduction part holds for all 
relations. Again these principles are treated in full generality, i.e., also for recursive types 
with parameters. A similar induction/coinduction principle with the same restrictions was 
discovered by Pitts [Pit95] for recursive types in domain theory. 

The present paper is the first in a series presenting an axiomatization of domain the- 
oretic models of parametricity. In a forthcoming paper (based on [B MP05j ) we present 
a sound and complete notion of parametric models of LAPL called parametric LAPL- 
structures, and show how to transfer the results proved in LAPL to these. In further papers 
we will show examples of such parametric LAPL-structures, first treating Plotkin's idea of 
using admissible pers over reflexive domains, and in further papers we show how Rosolini 
and Simpson's construction |RS04| can be seen as constructing parametric LAPL-structures 
and we construct LAPL-structures from Lily syntax in |BMPVd6| . Finally in |M0gO5b] we 
show how the parametric completion process of Robinson Sz Rosolini [RR94j can be adapted 
to construct parametric LAPL-structures from internal models of PILLy in quasi toposes. 

In each of these models the abstract notion of admissible relations in LAPL is inter- 
preted differently. For example, in the per model the notion of admissible relations are 
certain subsets of the set of equivalence classes of pers, and in the Lily model admissible 
relations are TT-closed sets of terms. The abstract notion of admissible relations presented 
in this paper is general enough to fit all these different cases. 

We remark that one can see our notion of parametric LAPL-structure as a suitable 
categorical axiomatization of a good category of domains. In Axiomatic Domain Theory 
much of the earlier work has focused on axiomatizing the adjunction between the category of 
predomains and continuous functions and the category of predomains and partial continuous 
functions |Fio96l Page 7] - here we axiomatize the adjunction between the category of 
domains and strict functions and the category of domains and all continuous functions and 
extend it with parametric polymorphism, which then suffices to also model recursive types. 
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Outline. The remainder of this paper consists of two parts. The first part (Section [T]) 
presents the calculus PILLy and the logic LAPL for reasoning about parametricity. The 
second part (Section [2]) gives detailed proofs of correctness of encodings of a series of types 
including inductive, coinductive and recursive types, and gives the reasoning principles for 
these. 

1. Linear Abadi-Plotkin Logic 

In this section we define a logic for reasoning about parametricity for Polymorphic 
Intuitionistic Linear Lambda calculus with fixed points (PILLy). The logic is based on 
Abadi and Plotkin's logic for parametricity jPA93j for the second-order lambda calculus 
and thus we refer to the logic as Linear Abadi-Plotkin Logic (LAPL). 

The logic for parametricity is basically a higher-order logic over PILLy. Expressions 
of the logic are formulas in contexts of variables of PILLy and relations among types of 
PILLy. Thus we start by defining PILLy. 

1.1. PILLy. PILLy is essentially Barber and Plotkin's DILL |Bar97j extended with poly- 
morphism and a fixed point combinator. 

Well-formed type expressions in PILLy are expressions of the form: 

ai : Type, Type h a : Type 

where a is built using the syntax 

a ::= a \ I \ a ^ a \ a —o a \ \a \ Yla. a. 

and all the free variables of a appear on the left hand side of the turnstile. The last 
construction binds a, so if we have a type 

ai : Type, . . . , a„ : Type h a : Type, 

then we may form the type 

ai : Type, . . . , Oi-i : Type, a^+i : Type . . . a„ : Type l-JJai-a: Type. 

We use o", r, w, a' , r'. . . to range over types. The list of a's is called the kind context, and 
is often denoted simply by S or a. Since there is only one kind the annotation : Type is 
often omitted. 

The terms of PILLy are of the form: 

^ I Xi'. (Ji, . . . , Xn : Cn] Xi'. (7^, . . . , X^ '. C7^\~ t'. T 

where the Uj, cr^, and r are well-formed types in the kind context H. The list of x's is called 
the intuitionistic type context and is often denoted F, and the list of x"s is called the linear 
type context, often denoted A. No repetition of variable names is allowed in any of the 
contexts, but permutation akin to having an exchange rule is. Note, that due to the nature 
of the axioms of the to-be-introduced formation rules, weakening and contraction can be 
derived for all but the linear context. 
The grammar for terms is: 

t ::=x \ \ Y \ X°x: a.t \ 1 1 \ t ® t \\t \ Aa: Type, f [ t{a) \ 

let X : a ^ y: T he t in t \ let Ix : a he t in t \ let -k be i in t 
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We use A°, which bear some graphical resemblance to to denote linear function abstrac- 
tion. And we use s, t, u. . . to range over terms. 

The formation rules are given in Figure [TJ A term context S | F; A is considered 
well-formed if for all types a appearing in F and A, the type construction H h fi: Type is 
well-formed. The linear contexts A and A' are considered disjoint if the set of variables 
appearing in A is disjoint from the set of variables appearing in A'. We use — to denote an 
empty context. As the types of variables in the let-constructions and function abstractions 
are often apparent from the context, these will just as often be omitted. 

The fixed point combinator Y appears as a term in the language, but could equivalently 
have been given as an operator on terms as e.g. the rec operator in Lily. By having it as 
a polymorphic term the parametricity principle it satisfies becomes evident. 



S I F;- h*: / 
E I F;- hY: lla.\{\a ^ a) a 



E \T,x: a; — \- x: a 



E \T;x: a \- x: a 
E\r;Aht:a^T H|F;A'hn:a 

H I F; A, A' h t n: T 

E \ T; A,x: a \- u: T 



A, A' disjoint 



H I F; A h \°x : a.u: a —o t 
F;Aht:a H|F;A'Ks:r 



H I F;A,A' o-(g)r 
H I F;- h t: fj 



A, A' disjoint 



E I F;- h!t: a 
E,a: Type | F; A h t : cr 



H I F; A is well- formed 



H I F; A h Aa : Type, t: Wa: Type, a 

H I F; A h t : Wa: Type, a E\- t: Type 

H I F;A h t(r): a[T/a] 
F; A h s : (T (8) c' E\T; A', x: a,y: a' \- t: r 



A, A' disjoint 



H [ F; A, A' h let X : fj y : fj' be s in t : r 

S|F;Ahs:!cr E \r,x: a; A' h t: t 

A, A' disjoint 

H I F; A, A' h let !x : !c7 be s in t : r 

E\T;Aht:I E\T;A'hs:a 
H I F; A, A' h let * be t in s : cj 

Figure 1: Formation rules for terms 
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Lemma 1.1. Any term can in a given context be shown to have at most one type, i.e., if 
the typing judgements H | F; A h t: r and H | F; A h t : r' are derivable then r = r'. 

Lemma 1.2. The following three substitution rules are derivable from the formation rules 
of PILLy. 

H [ F; A, j;: (7 h t: r H|F;A'h'u:o- 

H I F; A, A' h t[u/x\: r 
S I F, a; : fj; A h t : r H|F;— huiu 

H I F; A h t[u/x]: r 
H,a|F;AI-t:r Hhcr: Type 

H I F[cr/a]; A[cr/a] ht[cr/a]: r[cr/a] 

What we have described above is called pure PILLy . In general we will consider PILLy 
over polymorphic signatures |Jac99l 8.1.1]. Informally, one may think of such a calculus as 
pure PILLy with added type-constants and term-constants. For instance, one may have 
a constant type for integers or a constant type for lists a h lists{a) : Type. We will be 
particularly interested in the internal languages of PILLy models which in general will be 
non-pure calculi. 

We will also sometimes speak of the calculus PILL. This is PILLy without the fixed 
point combinator Y. 



1.1.1. Equality. The external equality relation on PILLy terms is the least equivalence 
relation given by the rules in Figure [2j External equality is typed in the sense that if in a 
given context two terms are externally equal, then they have the same type. The definition 
makes use of the notion of a context, which, loosely speaking, is a term with exactly one 
hole in it. Formally contexts are defined using the grammar: 

C[-] ::= - I let * be C[-] in t | let ★ be t in C[-] \ t C[-] \ C[-] ® t j 
let x®y be C[-] in t | let x y be t in C[-] \ \°x: a. C[-] \ 
C[-] t \ t C[-] \\C[-] I let \x be C[-] in t \ let \x be t in C[-] \ 
Aa: Type.CH | C[-]a 

A context C[—] is called a H | F; A h a — H | F'; A' h r context if for any well-formed term 
S I F; A h t : fj, the term H | F'; A' h C[t] : r is well- formed. A context is linear, if it does 
not contain a subcontext of the form !C[— ]. 

We prove a couple of useful lemmas about external equality. 

Lemma 1.3. Suppose 'E \ T; A \- f, g: lo" — o r are terms such that 

E\T,x:a;Ahf{\x) = g{lx). 

Then f = g. 

Proof. Using the rules for external equality, we conclude from the assumption that 
H I F; A, y : la h let \x be y in /(!x) = let Ix be y in g{lx) 

and further that 

E \ T; A,y : !cr h /(let \x be y in \x) = g{let Ix be y in \x). 

Thus 

E\T;A,y: la h f{y) = g{y). 
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/3-term 

S I T; A h {X°x : a. t)u = t[u/x] 

/3-type 

S I T; A I- (Aa : Type. t)a = t[a/a] 

r?-term 

S I r;Ah A°x: a. (tx) = t 

?7-type 

S I T; A h Aa : Type, (ta) = t 

P — ic 

H I T: A h lot + bo + in t = t 

?7 — ★ 

S I T; A h let * he t in-k = t 

P-^ 

:^ \ T; A \- let X iSi y he s iS> u in t = t[s, u/x, y] 

?7 — (2> 

E \ T; A \- let X iSi y he t in X ® y = t 

P-\ 

S I T; A h let !x: cr be !n in t = t[u/x] 

r]—\ 

E\r;A\-let\x:ahetin\x = t 

E\r;A\-t = s: a C[-] is a S | T; A h cr - S | T'; A' h r context 

E I r'; A' h C[t] = C[s] 

C[—] is a linear context 

H I F; A h let ★ be t in C[u] = C[let ★ be t in u] 
C[—] is a linear context and does not bind x,y or contain them free 

H I F; A h let a; (X) y be t in C[u] = C[let x ^ y he t in u] 
C[—] is linear and does not bind x or contain it free 

S I F; A I- let \x he t in C[u] = C[let \x he t in u] 
H I F;- h /: !cj ^ (7 

H|F;-h/!(ya(!/)) = ya(!/) 
Figure 2: Rules for external equality 

and hence f = \°y: !cr. f{y) = X°y : \a. g{y) = g. □ 

1.1.2. Intuitionistic lambda abstraction. We encode ordinary intuitionistic lambda abstrac- 
tion using the Girard encoding a ^ t =\a —o r. The corresponding lambda abstraction is 
defined as 

Xx: a.t = X°y : \a. let \x be y in t 
where y is a fresh variable. This gives us the rule 

E\T,x: u;A\-t: T 

E\T;A\-Xx:u.t:a^T 
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H ::= — I H,a h Type T ::= — \ T,x: a 
e ::= - I e,R: Re\{a,T) \ 6,5: AdmRel(a,r) 
H: Ctx HhfJiType H|r;A:Ctx 
H|r|e:Ctx H|r;Ahi:cr E\r;Ah t = u 
H I r I e h /): Rel(o-,r) S | T [ 9 h p: AdmRel(cr,r) 
H I r I G h (/.: Prop H | T [ 6 | 0i, ...,(/)„ h V 

Figure 3: Types of judgments and grammar for LAPL contexts 



For evaluation we have the rule 

H I T;- h t: £7 E \ T; A h f : a ^ t 

S|r;Ah/!t:r 

and the equality rules give 

(Ax : a. t) !s = t[s/x]. 

Note that using this notation the constant Y can obtain the more familiar looking type 

Y : Ha. (a — > q) ^ a. 
This notation also explains the occurrences of the !'s in the last rule of Figure [2j 



1.2. The logic. As mentioned, expressions of LAPL live in contexts of variables of PILLy 
and relations among types of PILLy. The contexts look like this: 

H I r j i?i: Rel(ri,r(),...,i?„: Rel( 

''"") ^n)^ '■ AdmRel(u;i, u![), . . . , Sm '■ AdmRel(u;m, (^m) 

where H | T; — is a context of PILLy and the Ti,T-,uJi,u;[ are well-formed types in context 
H, for all i. The list of -R's and 5"s is called the relational context and is often denoted Q. 
As for the other contexts we do not allow repetition, but do allow permutation of variables. 

The concept of admissible relations is taken from domain theory. Intuitively admissible 
relations relate _L to _L and are chain complete. 

It is important to note that there is no linear component A in the contexts — the point 
is that the logic only allows for intuitionistic (no linearity) reasoning about terms of PILLy, 
whereas PILLy terms can behave linearly. This simplification of the logic has been chosen 
since all parametricity arguments in our knowledge involve purely intuitionistic reasoning. 

Propositions in the logic are given by the syntax: 

4> ::= {t =cr u) I p{t, u) |(^D'0l-L|T|(/)A'0|</'V^/^|Va: Type. 4> \ 
Vx: I \fR: Rel((T, r). | V5: AdmRel(c7, r). (/> | 
3a: Type. (/) | 3x : a. (/> | 3ii : Rel(cr,T).0 | 35: AdmRel(c7, r). 

where p is a definable relation (to be defined below). The judgments of the logic are 
presented in Figure [3l In the following we give formation rules for the above. 

Remark 1.4. Our Linear Abadi & Plotkin logic is designed for reasoning about binary 
relational parametricity. For reasoning about other arities of parametricity, one can easily 
replace binary relations in the logic by relations of other arities. In the case of unary 
parametricity, for example, one would then have an interpretation of types as predicates. 
See also |Tak98l IWad04j 
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We first have the formation rule for internal equality: 

3 \ T; — \- t: a 'E \ T; — \- u: a 

H I r I G h t u: Prop 

Notice here the notational difference between t = u and t =„ u. The former denotes external 
equality and the latter is a proposition in the logic. The rules for D, V and A are the usual 
ones, where D denotes implication. T, _L are propositions in any context. We use IC for 
biimplication. 

We have the following formation rules for universal quantification: 

E I T,x: 0- I e h (/): Prop 

H i r I e h Vx: cr.(/>: Prop 
E\r\e,R: Rel((T,r) h (/): Prop 

H [ r I e h Vi2: Rel(a,T).0: Prop 
H I r I e,^: AdmRel(cr,T) h 0: Prop 

H I r I e h VS': Ad mRel(cr,r ).(/): Prop 

H,a I r I e h (/>: Prop 

H I r I is well-formed 

S I r I e h Va: Type.0: Prop 

The side condition H | F | is well-formed means that all the types of variables in T and 

of relation variables in Q are well-formed in E (i.e., all the free type variables of the types 

occur in H). 

There are similar formation rules for the existential quantifier. 

Before we give the formation rule for p{t,u), we discuss definable relations. 

1.2.1. Definable relations. Definable relations are given by the grammar: 

p ::= R \ {x: a,y: T).(p \ a[R] 

Definable relations always have a domain and a codomain, just as terms always have types. 
The basic formation rules for definable relations are: 

E\T\e,R: Rel(fT,T) h R: Re\{a,T) 
E \ r,x: a,y: T \ Q \- (p: Prop 

E\T \eh {x: a,y: t).(I): Rel(f7,r) 
H I r I G h p: AdmRel(o-,T) 

E\r\eh p: Rel(fT,T) 

Notice that in the second rule we can only abstract intuitionistic variables to obtain defin- 
able relations. In the last rule, p: AdmRel(fT, r) is an admissible relation, a concept to be 
discussed below. The rule says that the admissible relations constitute a subset of the defin- 
able relations. The last construction of the grammar refers to the relational interpretation 
of types and will be discussed in Section 11.2.31 

An example of a definable relation is the graph relation of a function: 

(/) = {x: a;y: T).fx =r y, 

for / : fj — o r. The equality relation eq^ is defined as the graph of the identity map. 
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If p: Rel((T, r) is a definable relation, and we are given terms of the right types, then we 
may form the proposition stating that the two terms are related by the definable relation: 

S I r I e h p: Rel(o-,T) H I T; - h t : a, s : r 

— — — (1.1) 

H I r I G hp(t,s): Prop 

We shall also write tps for p{t, s). 

Relations can be reindexed along PILLy maps as in the following derivable rule 

H I r I e h Rel((T,T) S | T;- h /: a' ^ a,g: t' ^ t 

H I r I e h (x: a',y: T').p{f x,gy): Rel(o-',r') 
where x,y are fresh variables. We shall use the shorthand notation {f,g)*p for 

{x: a',y: t'). p{f x, g y). 



1.2.2. Constructions on definable relations. In this subsection we present some construc- 
tions on definable relations - one for each type constructor of PILLy. These will be used to 
give a relational interpretation of the types of PILLy. 
If p: Rel(cj, r) and p' : Rel(cj',r') define 

p ^ p' = {f: a ^ a' ,g: T ^ r'). Vx: cj. Vy: T.p{x,y) D p{fx,gy). 

for fresh variables x,y,f,g. Then the rule 

H I r I e hp: Re\{a,T),p': Re\{a',T') 

H I r I e h (p ^ : Rel((a ^ a'), (r ^ r')) 

is derivable. 
If 

E,a,f3 \ T \ e,R: AdmRel(a, /5) h p: Rel(o-,r) 
is well-formed and H | F | is well-formed, H,a h a: Type, and h r: Type we may 
define the relation 

H I r I G h V(Q,/3,i?: AdmRel(a,/3)).p: Rel((na: Type, a), (O ^: Type.r)) 

as 

y{a,(3,R: AdmRel(a, /?)). p = 
{t-.lla: Type, a, u .UP- Type. r). Va, /3: Type.Vi?: AdmRel(a, /?). p(to, n/3). 

In Section [2] we will show how to encode the type constructors <8>,!,/ using — o,— > and 
polymorphism as in Figure [5] below. At this point we have not discussed parametricity 
and so can not use the encodings, but we will still use these for the definitions of the 
constructions on relations corresponding to ^,1 and !. The relational interpretations of 
®, I, ! are due to Alex Simpson, who also uses this relational interpretation of ! in a more 
general context in |Sim06j . 

First we define the tensor product of p and p' 

p0p': Rel((cr(g)o-'),(r (g)T')), 
for p: Rel((T, r) and p' : Re\{a' ,t'). We first introduce the map 

/cr^cr' : a ^ a' ^ Yla. {a —o a' ^ a) —o a 
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defined as 

fa,a' X = let x' ®x" : a ® a' be x in Aa. X°h : a —o a' —o a. h x' x" . 
Tlien we define 

p^p' = {LyJryny{a,P,R: MmRe\{a, p)). {p ^ p' ^ R) ^ R), 

or, if we write it out, 

p0p' = {x: a0a',y: T0T').ya,l3,R: AdmRe\{a,l3). 

yt: a ^ T ^ a,t' : a' ^ t' ^ p. {p ^ p' ^ R)it,t') D 
R{let x' (g) x" be X in t x' x", let y' (g) y" be y in t' y' y"). 

As a derivable rule we get 

E\r\eh p: Rel((j,T),p': Re\{a',T') 

S I r I e h (p (g) p') : Rel((CT ® a'), (r (g) r')) 
Following the same strategy, we define a relation J/jg^ : Rel(/, /) using the map 

f : I —o ]^a.a— oQ 
defined as X°x : I. let * be x in id, where id = Aa. X°x : a. x and define 

iRei = {fjny{a,p,R: MmRe\{a,(3)).R^R), 
which, if we write it out, is 

(x: I,y: I).y{a,P,R: AdmRel(a, /?)). Vz : a,w: (3. 
zRw D (let ★ be X in z)R{let * be y in w). 

The relation Ijiei types in any context, i.e., H [ F [ h IrsI- Rel(/, /) is derivable for any 
well- formed context H | F | 0. 

The encoding of ! in Figure [5] uses which was defined above as a ^ r =la — o r, but 
since — > has a natural relational interpretation, we will still use this to define the relational 
interpretation of !. 

For p: Rel(o", r) and p' : Rel(fT',r') we define 

P^P={f-cr^ a',g: r r'). Vx: a,y: t. p{x,y) D p{f{\x),g{ly)) 
Now, define for any type a the map la —o Y\a. {a ^ a) —o a as 

X°x : la. Aa. X°g: a ^ a. g(x). 
The relation Ip: Rel(!(T, !r) is defined as 

(/^,/^)*V(a,/3,i?: AdmRel(a,/3)).(/)^i?) ^ R. 
The derivable typing rule is 

H I F I ehp: Rel(fT,T) 

H [ F I G h!p: Rel(!o-,!r) 

Remark 1.5. In |BMP05j we show how the constructions on relations presented in this 
section gives rise to a PILLy-model of admissible relations. In other words (g, de- 
fines a symmetric monoidal structure on relations, ! extends this to a linear structure, and 
y{a,P,R: AdmRel(a, defines a polymorphic product. 

Remark 1.6. The definitions of p<^p' and Ip involve an implicit admissible closure operator 
discussed in Section [1.2. 5 1 below. This operator helps secure that the collection of admissible 
relations is closed under the constructions above (see Proposition 1 1 . 71 below) . 
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1.2.3. Admissible relations. As mentioned in the introduction, for the theory of parametric- 
ity to be consistent in a type theory with recursion the parametricity principle must be 
weakened. For this purpose we introduce a notion of admissible relations axiomatized in 
Figure m In these rules p = p' is a shorthand for Vx, y. p{x, y) IC p'{x, y). 



r\e,R: AdmRel(o-,T) h R: AdmRel(f7, r) 



E\r \ eh eq^: AclmRel(cr, ct) 
S I r I e h p: AclmRel(o-,T) E \ T; - h t: a' ^ a,u: t' ^ t x,y^T 

E\T \eh [x: a',y: t'). p{t x,uy): AdmReKa', r') 
S I r I e h AdmRel(cr,T) x,y 

H j r I 9 h (x : u, y : r). p{x, y) A y) : AdmRel((j, r) 
H I r I e h p: AdmRel(cr,T) x,y 

H I r I 9 h (x: T, y: a).p{y,x): AdmRel(r, cr) 
x,y 

E\r \eh {x: a,y: t).T: AdmRel(cr,r) 
S I r I G h p: AdmRel(o-,T) H | F 1 G h (/>: Prop x,y^T 

E\T \Q\- (x: a,y: T).(j)D p{x,y) : AdmRel((j, r) 
H,a I F I G h p: AdmRel(fT,T) H|F|G H her: Type HhriType x,y^r 

H I F I G h (x : (T, y : r). Va : Type. p{x, y) : AdmRel((7, r) 
H I F,2;: w I G h p: AdmRel(cr,T) x,y^T 

H I F I G h (x: a,y: T).yz: uo. p{x,y): AdmRel((j, r) 
H I F I Q,i?: AdmRel(w,w') h p: AdmRel(cT,T) x,y ^ F 

H I F I G h (x: a,y: r).Vi?: AdmRe\{uj,u'). p{x,y) : AdmRel(cr,r) 
H I F I G,i?: Rel(u;,u;') h p: AdmRel(o-,T) x,y ^ F 

S I F I G h (x: a,y: t).\/R: Re\{LJ,uj'). p{x,y) : AdmRel(cj,r) 
H I F I Q h p: AdmRel(f7,r),p': Rel(a,T) S|F|G|Thp = p' 

H I F I G h p: AdmRel(CT,r) 
CKi, . . . , a„ h ct(q) : Type H | F | G h pi : AdmRel(ri, r(), . . . ,pn: AdmRel(r„, r^) 

H I F I Q h f7[p] : AdmRel(CT(f), cj(f')) 

Figure 4: Rules for admissible relations 

A few comments is needed for the last of the rules in Figure HI First observe that a[p\ is 
a syntactic construction and is not obtained by substitution as in |PA93] . Still the notation 
o" [pi /«!,.. . ,pn/an] might be more complete, but this quickly becomes overly verbose. In 
[PA93] cr[p] is to some extent defined inductively on the structure of a, but in our case that 
is not enough, since we will need to form a[p\ for type constants (when using the internal 
language of a model of L APL) . The inductive definition over the type structure is in stead 
reflected in axioms ri.22l to [1.271 
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We call (t[p\ the relational interpretation of the type a. 

Proposition 1.7. The class of admissible relations contains all graphs and is closed under 
the constructions of Section \1.2.2\. in fact the following more general rules hold 

E\r;-h f:a^T 
H I r I e h (/): AdmRel(a,r) 
H I r I e h p: Rel(o-,T),p': AdmRel(cr', r') 



S I r I e h (/) ^ p') : AdmRel((a ^ a'), (r ^ r')) 
E\T\eh p: Rel(cr, r), p' : AdmRel(o-', r) 

H I r I e h (p ^ p') : AdmRel((a ^ a'), (r ^ r')) 
H I r I ehp: Rel(fT,T),p': Rel(fT',r') 

H I r I e h (p (g) p') : AdmRel((a ® a), (r (g) r')) 
H I r [ ehp: Rel(cT,T) 

H I r I e Hp: AdmRel(!o-, !r) 



H|r|eh/fie«: AdmRel(/,/) 
S,a,/3 I r I G,i?: AdmRel(a,/3) h p: AdmRel(cr,T) H,a her: Type S,/3hr:Type 

H I r I e h V(a,/3,i?: AdmRel(a,/3)).p: AdmRel((na: Type, cj), (H Type.r)) 
where the last rule has the side condition that H | F [ G must be well-formed. 

Proof. Graph relations are admissible since equality relations are and admissible relations 
are closed under reindexing. For the constructions of Section 11.2.21 we just give the proof 
of ^. 

We must prove that for p: Rel((T, r), p' : AdmRel((T', r') relations in the same context 
p — o p' is admissible. Consider first the relation 

(/: a a',g: r t'). p' {f x,g y) 

in the context where we have added fresh variables x : a,y: t io the contexts of p, p'. This 
relation is a reindexing of p' along the evaluation maps, which are linear, and so the relation 
is admissible. Since /, g do not occur freely in p, also 

{f:a^a',g:T^ T').p{x,y) D p'{fx,gy) 

is admissible, and so since admissible relations are closed under universal quantification, 
p — o p' is admissible. □ 
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1.2.4. Axioms and Rules. The last judgment in Figure [3] has not yet been mentioned. It 
says that in the given context, the formulas (f)i, . . . ,(pn collectively imply tp. We will often 
write $ for 4>i, . . . , 4>n. 

Having specified the language of LAPL, it is time to specify the axioms and inference 
rules. We have all the usual axioms and rules of predicate logic plus the axioms and rules 
specified below. 

Rules for substitution: 

H|r,x:crje|Th(/> ElTht: a 
Rule 1.8. — 



Rule 1.9. 



s I r I e I T h 4>[t/x] 

E\T\e,R: Rel(cr,T) \ T h cp E\T\Qh p: Rel(o-,r) 



Rule 1.10. 



H I r I G I T h 4>[p/R] 
S I r I 6,5: AdmRel(o-,r) \ Th(j) E\r\Qh p: AdmRel(CT,r) 

H I r I e I T h (p[p/s] 

H,a I r I e I T h H ho-: Type 



Rule 1.11. 

E j r[a/a] \ e[a/a] \ T h 0[cr/a] 

The substitution axiom: 

Axiom 1.12. Vq,/3: Type.Vx,x': a.yy,y': (3.\fR: Re\{a, l3.)R{x,y)A 
X =a x' Ay =13 y' D R{x\ y') 

Rules for V-quantification: 

H,a I r I e I h V 
Rule 1.13. = H I r I e h $ 

H I r I G I $ h Va: Type.^ 

E I r,x: cr 1 G I $ h V 
Rule 1.14. ^^^^^^^^= H I r I G h $ 
E\T \ Q\ ^'r\/x: a4 

E\T\Q,R: Rel(T,r') I $ h V 

Rule 1.15. H I r I G h $ 

H I r I Q I ^> h Vi?: Rel(r,r').V' 

H I r I G,5: AdmRel(r,r') I $ h V 
Rule 1.16. ^^^^^^^^^^^^^^^ H I r I G h ^> 

H I r I G I $ h V^: AdmRel(r,T').V' 



Rules for 3-quantification: 



H, a I r I G U h 
Rule 1.17. ^^^==^^^^= H I r i G h -0 
S I r I G I 3a: Type.c/) h ^ 

E I T,x: a I G U h V 
Rule 1.18. ^^^^^^^^= H I r i G h V 
H I r I G I 3x: h V 

H I r I G,i?: Rel(r,r') Uh V 
Rule 1.19. = H I r I G h -0 

H I r I G [ 3i?: Rel(r,r'.)(/) h 

H I r I G,5: AdmRel(T,r') U h ^ 
Rule 1.20. ^^^^^^^^^^^^ H I r I G h V 

H I r I G I 35: AdmRel(T,r').(^H V 
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External equality implies internal equality: 

S I F; — h t, It : (7 H | F; — h f = n 
Rule 1.21. — ■ 

E\T\e\Tht=„u 

There are also obvious rules expressing that internal equality is an equivalence relation. 
We have rules concerning the interpretation of types as relations: 

a h CKi : Type S | F | G h p : AdmRel(T, r') 



Rule 1.22. 



Rule 1.23. 



Rule 1.24. 



S|F|G|Tha,[p] = p, 
dha^a': Type S | F | 6 h p : AdmRel(r, r') 

E\T \ e\ T h (a ^ a')[p\^ {a[p\^a'[p\) 
a h cr cr' : Type H | F | 6 h /o: AdmRel(T, /) 
S I F I e I T h (a ^ = {(t[p\ a'[p\) 

H I F I e h /9: AdmReKr,/) 



Rule 1.26. 



Rule 1.25. 

E\T\Q\ThI[p\ = lRei 

ahl\[3.a{d,p): Type H | F | 9 h p : AdmRel(f,f') 
S I F I T h (n/3.a(cS,/3))[pl = V(/3,/3',i?: AdmRel(/3, /?'))• i?]) 
a Ha -.Type S | F 1 9 h p: AdmRel(f, /) 



Rule 1.27. 

E\r\e\Th{\a)[p\^Ka[p]) 

If the definable relation p is of the form {x: a,y: T).(l){x,y), then p{t,u) is equivalent 
to ^ with X, y substituted by t, u: 

F, X : cr, y : r I 9 h (;^): Prop E \ F; ~ h t: a,u: t 



Rule 1.28. 



H I F I 9 I T h ((x: a,y: T).(p){t,u) ^ (l)[t,u/x,y] 



Axiom 1.29. \Q\T h{lla.{a^ a) ^a){Y,Y) 

Given a definable relation p we may construct a proposition p{x,y). On the other 
hand, if (/> is a proposition containing two free variables x and y, then wc may construct the 
definable relation (x,y).(p. The next lemma tells us that these constructions give a corre- 
spondence between definable relations and propositions, which is bijective up to provable 
equivalence in the logic. 

Lemma 1.30. Suppose E \ F , x : a, y : t \ @ \- (f) is a proposition. Then 

S I F I e I T h {{x: a,y: T).<t)){x,y) DC <^ 
Suppose S I F I G h p: Rel((T, r) is a definable relation, then 

S|F|G|TI-p=(x:cr,y: T).p{x,y). 
The substitution axiom above implies the replacement rule: 
Lemma 1.31. 

H I F I — I T h t t' E \ F, x: a; — \- u: T 



S I F I - I T h u[t/x] =r u[t'/x\ 
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Proof. Consider the definable relation 

p= {y: a,z: (T).u[y/x] =r u[z/x]. 
Clearly p{t, t) holds, so by substitution p{t, t') holds. □ 

Lemma 1.32. Suppose H | F | 6 h p: Rel(cT, r), /j' : R&\{a' ,t') and x,x' ,y,y' are fresh vari- 
ables. Then 

E I r I G h Vx : a,x' : cr',y: T,y' : t' . p{x, y) A p [x' , y') D p<^ p{x (g) x', y (8) y) 

Proof. Suppose p{x,y) A p'{x' ,y') and that {p —o p' —o R)(t,t'). Then clearly R(txx',t'yy') 
and thus, since 

let X x' he x x' in t x x' = t X x' , 
we conclude p (g) p'{x (g) x', y (g y'). □ 

Lemma 1.33. Suppose H | F | G h p: Rel((T, r) then 

H I r I G I T h Vx: T.p{x,y) D {lp){lx, \y) 

//H I r I G h p: AclmRel(cr,T) then 

H I r I G I T h Vx: cr,y: T.p{x,y) DC (!p)(!x, \y) 

Proof. The first statement is clear from the definition of \p. For the right to left implication 
in the case of p being admissible, observe that (Ax: a. x,Ax: t.x): p ^ p. Since \x{\p)\y 
this implies 

p((Ax: f7.x)(!x), (Ax: T.r)(!7/)), 
i.e., p(x,y). □ 

Recall that in Section 11.2.21 the oconstruction — > was defined directly on relations, 
whereas in PILLy the type constructor — > is shorthand for !(— ) —o (=). The next lemma 
shows that the relations p ^ p' and \p —o p' coincide in the case of p' being admissible. 

Lemma 1.34. Suppose H | T | G h p: Rel(cr, r), p' : Re\{a',T'). Then 

H I r I G I T h V/: <T ^ <t',5: T - r'. (p ^ p')(/,5) ^ (!p - p){f.9). 

//H I r I G h p: Rel(a, r),p': AdmRel(CT', r') then 

H|r|Q|Th(p^p') = (!p-pO. 

Proof. For the first implication, suppose (/,(?) : !p — o p' ■ We must show that if p{x,y) then 
p'{f{\x),g{\y)), which follows from the assumptions since !p(!x, \y). 

For the second half, we must show that if p' is admissible and p p'if,g) and \p{x,y) 
then p'{fix),g{y)). But this follows from the definition of \p{x,y) when using that p' is 
admissible. □ 
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1.2.5. A closure operator for admissible relations. In this section we present a closure op- 
erator on relations giving the least admissible relation containing a given relation. This 
closure operator will be particularly useful for proving coinduction principles later. Recall 
from Proposition 11.71 that for p any relation and p' admissible p —o p' is admissible. This 
means that for any relation p: Rel((T, r), 

(Va, /?, S : AdmRel(Q, /?)). {p ^ S) ^ S 

is an admissible relation from Y\,ol. {a —o a) —o a io Y\ol. {t —o a) ^ a. We define ^{p) to 
be the admissible relation obtained by pulling back this relation along the canonical maps 
(T — o ]^ a. (fj — o a) — o a and r ^ ]^ a. (r — o a) ^ a, i.e. ^{p) is 

{x:a,y: r).(VQ,/3,5: AdmRel(a, /?)). V/, 5. (p ^ 5) D 5(2/)). 

Lemma 1.35. The operator $ preserves implication of relations and for any relation p, 
$(/)) is the smallest admissible relation containing p, i.e., 

if H I r I e h p: Rel(fT,T),p': AdmRel(fT,T) 

then H I r [ 6 I T h Vx : fj, y : T. y) D p{x, y) 
iff H I r I e I T h Vx: a,y: T.$(p)(x,y) D p'{x,y) 

In later a paper we will show how the programming language Lily gives rise to a model 
of LAPL. In this concrete model the notion of admissibility is modeled by the TT-closed 
relations, and so the admissible closure operation presented here coincides with TT-closure 
as defined in [BPRnOj . 

Remark 1.36. Lemma 11.351 provides an alternative way of viewing the constructions on 
relations presented in Section [1.2.21 In fact \p is the smallest admissible relation containing 
all pairs of the form \y) for p{x,y). Likewise p p' is the smallest admissible relation 
containing all pairs {x(^x' ,y®y') with p{x,y) Ap'{x' ,y'), and Ijiei is the smallest admissible 
relation containing 

1.2.6. Extensionality and Identity Extension Schemes. Consider the two extensionality 
schemes: 

(Vx : a.t X =r u x) D t =ct^t u 

(Va : Type, t a =r U a) D t =Yla: Type.r 

These are taken as axioms in |PA93] . but we shall not take these as axioms as we would 
like to be able to talk about models that are not necessarily extensional. 

Lemma 1.37. It is provable in the logic that 

^f,9- -'T. (Vx: a.f{lx) =r g{\x)) D Vx: !<t. /(x) =r g{x). 

In particular, extensionality implies 

^f,g- ^T. (Vx : cr. /(!x) =r g(lx)) D / =a^r 9 

Proof. The first formula of the theorem is just the statement that (/, g) : eq^ — > eq^ implies 
{f,g) ■ leq^ eq^. The second formula follows from the first. □ 
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The schema 

- I - I - h Va: Type. a[eq^\ = eq^(^^) 

is called the identity extension schema. Here a ranges over all types, and eq^ is short 
notation for eq^_^ , • • • , eq^^ . 
For any type (3 

1 CKl ) • • • ) h cj(/3, a) we can form the parametricity schema: 

- I - I - h VaVw: {]\l3.a).yi3,0 .yR: MmRe\{l3, [5'). {u l3)a[R, eq^]{u 15'), 

where, for readability, we have omitted : Type after 13, 13'. 

We remark that the reason that parametricity and identity extension are formulated as 
schemas is that we cannot quantify over type constructors. 

Proposition 1.38. The identity extension schema implies the parametricity schema. 

Proof. The identity extension schema tells us that 

VaVn: {J\(3. a).u{J\(3. a)[eq^]u. 

Writing out this expression using Rule 11.26] for the relational interpretation of polymorphic 
types, one obtains the parametricity schema. □ 

In the case of second-order lambda-calculus, the parametricity schema implied identity 
extension for the pure calculus, since it provided the case of polymorphic types in a proof 
by induction. It is interesting to notice that this does not seem to be the case for PILLy, 
since it seems that we need identity extension to prove for example eq^ ® eq^ = eq^^^ . 



1.3. Logical Relations Lemma. We end our presentation of Linear Abadi &; Plotkin 
Logic with the logical relations lemma. 

Lemma 1.39 (Logical Relations Lemma). In pure LAPL, for any closed term — | — ; — h 
t: T, 

tTt. 

In words, any closed term of closed type, is related to itself in the relational interpretation 
of the type. More generally, for any open term 

a \ x : a {a); x : a{a) h t{a, x' , x) : r 

in the pure calculus; the proposition 

ya,/3.yR: AdmRel(a,^).Vf : B{a),y: ct(/3).Vx': a'{a),g: a'0). 
xa[R]y Ax'S'lR]]/ D t{a,x' ,x)T[R]t0,y' ,y) 

holds in the logic. 



A detailed proof of the Logical Relations Lemma can be found in M0gO5a 



LINEAR ABADI & PLOTKIN LOGIC 



19 



a 

a ®T 
\a 
I 

1 

fj + T 

a X T 

N 

]Ja.a 
Ha. a 
va. a 



' a ) 
' T ■ 

a) 
a 



Ua. {a 
Yla.{a 
Yla. (a 
Yla.a 
Yla.a 
Yla.a 
lla.{a 
Yla.{a 
Yl a. {a 

UP- (n«-^'- 

PI Q. (cr — o a) 
]J a. !(a — o a) 



o a 
a) 
o a 



a) (r 
a) + (r ■ 
a) ^ a 

■ a 

) a 



a 



o a) 
a) 

■ a 
P 



> a 
a 



Figure 5: Types definable using parametricity 



2. Encoding datatypes using parametricity 

In this section we show how to use the logic to prove correctness of encodings of a large 
class of data types in PILLy using parametricity. These encoding are due to Plotkin, and 
many of them are listed Figure O In Figure [5] there are two sorts of equations. The first 
four equations are isomorphisms between types already present in PILLy. In these cases 
we shall show that the isomorphisms hold in a category of linear maps, where maps are 
considered equal up to provability in the logic. We shall give a precise definition of this 
category shortly. 

The other type of equation in Figure [5] defines encodings of types not already present in 
PILLy. We shall show correctness of these encodings, by which we mean that they satisfy 
the usual universal properties with respect to the above mentioned category of linear maps. 
In the last two encodings, a is assumed to be a type expression of PILLy in which a occurs 
only positively (see Section [2. 7p in which case fia. a defines an initial algebra for the functor 
induced by a and va. a defines a final coalgebra. We will also discuss reasoning principles 
for the encoded types. 

We will prove that the fixed point combinator Y causes the initial algebras and final 
coalgebras to coincide — a phenomenon called algebraic compactness. As a special case 
we have the coincidence of the initial and final object (0=1) as can be seen in Figure [H 
Following Preyd [Fre90b[ IFreQOat IFre91| we show how algebraic compactness implies the 
existence of general recursive types in Section 12. Ill 

In the following we shall write "using extensionality" and "using identity extension" 
to mean that we assume the extensionality schemes and the identity extension schema, 
respectively. 

2.1. A category of linear functions. The precise formulation of correctness of encodings 
of the datatypes presented in this section will be that they satisfy the usual universal 
properties. To state this precisely, we introduce for each kind context H the category 
LinType^ as follows: 

Objects: are types H | — ; — h cr: Type. 
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Morphisms: [H | — ; — h / : cr — o r] are equivalence classes of terms of type a —o 
r; the equivalence relation on these terms being provable equality in LAPL using 
extensionality and identity extension. 
Composition in this category is given by lambda abstraction, i.e. / : cr — o r composed with 
g: CO —o a yields A°a:;: to. f{gx). 

We start by proving that under the assumption of identity extension and extensionality, 
for all types S h cr: Type we have an isomorphism of objects of LinType^: 

cr = ]^ a. (cr — o ct) — o a 
for a not free in cr. We can define terms 

f : a ^ Ha. {{a ^ a) ^ a) 

and 

g: Y\a. ({a —oa)—oa)—oa 

by 

/ = X°x : a. Aa. X°h : a —o a. h x 

and 

g = X°x: Y\a. {{a —o a) —o a). X a ida 

Clearly 

g{f x) = (/ x) aida = x 
so g o f = ida- Notice that this only involve external equality and thus we did not need 
extensionality here. 

Proposition 2.1. Using identity extension and extensionality, one may prove that f o g is 

internally equal to the identity. 

Proof. For a term a: a. (cr ^ ct) ^ a wc have 

f o g a = Aa. X°h : a —o a. h{a a id^). 

Using extensionality, it suffices to prove that 

'E,a\h: a —o a \ — \- h{a a id^) =a a a h 

holds in the internal logic. 

By the parametricity schema we know that for any admissible relation p: AdmRel(r, r') 

(ar)((e?^ ^ p) ^ p){aT') 

If we instantiate this with the admissible relation {h), we get 

{aa){{eq^ -o {h)) -o {h)){aa) 

Since ida{eq^ — ° {h))h we know that (a cr ida){h){a a h), i.e., 

h{a cr ida) =a aa h, 

as desired. □ 
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This proof may essentially be found in Bg05| . 

Intuitively, what happens here is that a is a subtype of Yla. (a ^ a) ^ a, where the 
inclusion / maps x to application at x. We use parametricity to show that Y\a. {a ^ a) ^ 
a does not contain anything that is not in a. 



2.2. Tensor types. The goal of this section is to prove 

a'^T = Yla.{a—oT—oa)—oa 

using identity extension and extensionality, for H h u: Type and H h r: Type types in the 
same context. The isomorphism is in the category LinType^. 

This isomorphism leads to the question of whether tensor types are actually superfluous 
in the language. The answer is yes in the following sense: Call the language without tensor 
types (and /) t and the language as is T. Then there are transformations p : T ^ t and 
i : t ^ T, i being the inclusion, such that p o i = id^ and i o p = idt- This is all being 
stated more precisely, not to mention proved, in [MBROSj . In this paper we settle for the 
isomorphism above. 

We can construct terms 

f : a T —o Y\a. {a —o T —o a) —o a 

and 

g : (Yl a. {a —o T —o a) ^ a) —o a ^ T 

by 

/ y = let X (8) x' : o" ® T be y in Aa. \°h: a —o t —o a. h x x' 

and 

9 y = y ®'t) pairing, 
where the map pairing : a —o t —o a ® t \s 

pairing = X°x : a. X°x' : t.x x' . 
Let us show that the composition g o f is the identity. 

9°fy = g{let X CS) x' : a iSi T he y in Aa. X°h: a ^ T ^ a. h X x') 

= (let X x' : a ® T he y in Aa. X°h : a ^ r —o a. h x x') (a ^ t) pairing 

= {Aa. X°h : o" ^ r — o a. let x dS) x' : a ® t he y in h x x') (a t) pairing 

= let X <S x' : a (gi T he y in X x' 

= y- 

Proposition 2.2. Using extensionality and identity extension one may prove that the com- 
position 

fog: {Yl a. {a —o T —o a) —o a) —o (Yl a. {a —o t —o a) —o a) 
is internally equal to the identity. 

Proof. We compute 

f ° 9 {y) = f{y {(7 ®t) pairing) = 
let X ® x' : a 0T he {y a ® t pairing) in Aa. X°h: a —o t —o a.h x x' 

Suppose we are given a type a and a map h: a —o t ^ a. We can define (ph: a t —o a as 

(ph = ^°y ■ o" (8) T. let X x' : a i0 t he y in h x x' . 
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Then (j)h{pairing x x') = h x x' , which means that pairing{eq^ —o eq^ —o {4>h))h. By the 
parametricity schema 

'E,a\h: a ^ T ^ a^y: J^a. (u— or^a)^a[ — |TI- 
{y<J® T){{eq^ -o eq^ -o -o {4>h)){y ") 

so 

{ya®T pairing) {(ph){y a h), 

i.e, 

(l>h{y(^®'r pairing) =ayah. 

Writing this out we get 

S, a|/i:(T— or— oa,y: Y\a. {a —o t —o a) —o a \ — \ T \- 
let X (8) x' : a (8) r be {y a ®t pairing) in hx x' =a yah. 

Using extensionaUty we get 

Aa. X°h : a —o T —o a.let x ^ x' : a <Si T he {y a <Si T pairing) in {h x x') y. 

This is enough, since by the rules for external equality the left hand side is 

lei X ®x' : u ®t he {y u ®t pairing) in (Aa. \°h: a —o t —o a. h x x'). 

□ 



2.3. Unit object. The goal of this section is to prove that identity extension together with 
extensionality implies 

I = Y\a. a —o a. 
The isomorphism holds in LinType^ for all S. 

We first define maps / : / — oj^a. a— oa and g: (J^ a. a — o a) — o 7 as 

/ = X°x : I. let ★ be x in id, 
g = X°t : Y\a. a —o a.t I -k, 



where 

We first notice that 



id = Aa. X°y: a. y. 

g{f{x)) = (let -k be a; in id) I -k 
= let ★ be X in {id /★) 
= let * be X in ★ 
= X. 

Proposition 2.3. Using identity extension and extensionality, we have that f o g is inter- 
nally equal to the identity on Y\a. a —o a. 

Proof. First we write out the definition 

f o g = \°t : {Y\ a.a —o a), let ★ he {t I ★) in id. 

We show that for any t: a. a ^ a, for any type a, and any x : o" we have fog(t)ax tax. 

Given cj, x as above, we can define h: I —o a as h = X°z: I. let * be z in x. Then (h) 
is admissible, so by identity extension 

itl){{h)^{h))ita). 
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Since h{-k) = x we have h{t I ★) =a tax, and by definition 

h{t I -k) = let ★ he {t I ★) in x 

= let ★ be (t 7 ★) in {id a x) 
= (let -k he {t I -k) in id) a x 
= f°9{t)ax. 

□ 

2.4. Initial objects and coproducts. We define 

= a. a 

For each S this defines a weak initial object in LinType^, since for any type S h cr, there 
exists a term 0^ : ^ cr, defined as 

\°x: 0. x (7 

Proposition 2.4. Suppose f : Q —o a for some type Shu. Using identity extension and 
extensionality it is provable that f =0^0- Oo-- Thus, is an initial object in LinType^ for 
each S. 

Proof. First notice that for any map h: a —o t, hy identity extension {x a){h){x r) for any 
x: 0. Thus, by extensionality, hoQ^ =o-or Or for any h: a —o t. In particular, for any type 
a, the case h = O^j gives us x a =a x a, i.e., Oq =0^ ido- If / : ^ a, by the above we 

have 0^ =0^0- f °Oo =o^a f □ 

Next, suppose H h cr, r are types in the same context. We define 

a + T = Yla. {a —o a) ^ {t —o a) ^ a 

and show under the assumption of identity extension and extensionality that this defines a 
coprodTict of a and r in LinType^. 

First define terms iria : a —o a + t, inr : r — o cr + r as 

incr = \°x : a. ka. Xf : a —o a. Xg: t —o a. f{x) 
in-r = X°y : r. Aa. Xf : a ^ a. Xg: t —o a. g{y) 

For any pair of maps f : a —o u, g: t —o u; define the copairing [/,<?]: a + r ^ w as 

[f,g] = X°x: a + T.xulf \g, 

then clearly [f,g]{infj{x)) = f{x) and [f , g\{inr{y)) = g{y), and so cr + r is a weak coproduct 
of a and r in LinType^. We remark that the copairing constructor can also be defined as 
a polymorphic term 

[— , — ] : Aa. (o" — o a) ^ (r — o a) ^ (J + T — o q; 

of intuitionistic function type. Of course we can define an even more general copairing by 

abstracting a, r as well. 

Lemma 2.5. Ifh: to —o to' , f : a ^ uj and g: t —o to, then using extensionality and identity 
extension, it is provable that [ho f,ho g] =(^_|_r_oa;' h o [/, g] . 
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Proof. Since 

f(eq,^{h))hof 
9{eqr {h))hog 

for any x: a -\- t, 

{xu;\f\g){h){x J\{hof)\{hog)) 
by identity extension, i.e., h{[f,g]{x)) = [h o f o g\{x). □ 

Lemma 2.6. Using extensionality and identity extension, [in^, inr] =a+T^a+T ida+r is 
provable. 

Proof. Given any u,a: a ^ uj,b: t ^ uj, we have 

[a,b]{[ina,inr]{x)) =^ [[a,b] o in^,[a,b] o inr]{x) =^ [a,b]{x) 

for any x: cr + r. By unfolding the definition of [a, b] in the above equahty we get 

[mo-, inr]{x) u! la \b =^ x uj \a lb. 

Since u;,a,b were arbitrary, extensionahty (and Lemma ll.37p imphes [in^^, inT-]{x) =a+T x 
for all X. □ 

Proposition 2.7. For any f : a ^ lo, g: t —o to and h: a + t —o u, if h o in^ =a^>uj f 
and h o in-r =t^h^ g, then it is provable using identity extension and extensionality that 
h =o-+r^Lc; Thus a + T is a coproduct of a and r in LinType=. 

Proof. 

[f,9] =a+T^ [h o in^^, h o in^] =^_^_^^ h o [incr, inr] =a+T^ h 

□ 



2.5. Terminal objects and products. The initial object is also weakly terminal, since 
for any type a, 

rio-oo = Y a lida^ 

is a term of type a ^ 0. In fact, using parametricity, can be proved to be terminal. 

Proposition 2.8. Suppose f,g: a ^ 0. Using identity extension and extensionality it is 
provable that f =0-^0 9- Thus is a terminal object in LinType^ for any H. 

Proof. We will prove 

Vx,y: 0.x =0 y 

which, by extensionality, implies the proposition. Suppose we are given x,y: 0. The term 

X°z: O.zO ^ ay 

has type ^ o", and thus is equal to 0^- This means that x a x — o ay. Likewise 
xQ —o ay =0- y a, so x a y a. Since this holds for all o", by extensionality x =q y. □ 
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Suppose cr, r are types in the same context S. Define 

a X T = Y\a. {a —o a) + {t ^ a) —o a. 

This defines a weak product in LinType=; with projections ir^: axr —o a and tTt-: axr —o t 
defined as 

tTct = X°x: a X T. X a (iria^aida) 
TTr = X°x: a X T. X T {inr^T-idr) 
The pairing of terms f:u—oa and g: u —o t is {f, g) : u —o a x t defined as 

(/, g) = X°x : u. Aa. X°h : {a —o a) + {t —o a). [X°z : a —o a. z o X°z : t —o a. z o g] h x 

Then 

'^a{{f,9){x)) = {f,g){x) a {iua^aida) = {X°z: a -o a.zo f) id^ x = f{x) 
and so tTo- o (/, g) = f and Ukewise tt,- o (/, g) = g proving that axr defines a weak product. 

Lemma 2.9. Using identity extension and extensionality it is provable that for any f:uj—o 
a, g: u —a T, k: uj' —o u, 

if, 9) °k =u,'^axT if °k,gok) 

Proof. The lemma is easily proved by the following direct computation using properties of 
coproducts established above. The notation (—ok) below denotes the term X°y: u —o a. yok 
of type (a; — o a) — o a;' — o a. 

if °k,gok){x) 

=o-XT Aa. X°h : (a ^ a) + (t —o a). [X°z : a —o a. z o f o k, X°z : t —o a. z o g o k] h x 
=axT Aa. X°h. [(— o k) o {X°z : a — o a. 2; o /), (— o fe) o (X°z : t —o a. z o g)] h x 
=crxT Aa. X°h. (— o k) o [{X°z: cr — o a. 2; o /), (X°z: t a. z o g)] h x 
=axT Aa. X°h. [{X°z : a ^ a. z o /), {X°z : t ^ a.zo g)\h {k{x)) 
=<7XT {f,g)ok{x) 

□ 

Lemma 2.10. Identity extension and extensionality implies that {TTu,TTr) =axr^axT id„XT- 

Proof. We must show that for any x: a x t, any a and any h: (o" ^ a) + (r — o a) 

[X°z : o" — o a. 2; o vTct, X°z : a ^ a. z o tTt] h x =„ x a h 

In fact, since we are dealing with coproducts, it suffices to show that for any I: a —o a and 
k: T —o a 

l{'K„{x)) =a xa{in^^al) 
— a X a (i?v_ocK k) 
We just prove the first of these equations. Since 

ida{eq„ ^ (/))/ 
by parametricity of a polymorphic version of in, 

ina^{ida){{eq^ -o (0) + {mr ^ {l))ina^a{l) 
and so by parametricity oi x: a x t 

X a [in^^a ida){l)x a {ina^^x 

i.e. 

Tra{x){l)x a {iUa^a 

as desired. □ 
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Proposition 2.11. Suppose h: uj —o a x t is such that tt^j oh =(^^cr / and iTr o h =w^t 9 
then it is provable using identity extension and extensionality that h =ij^axT {fid)- Thus 
a X T is a product of a and r in LinType^- 

Proof. 

h =ui^aXT (tTo-, 7r^) O h =ui^aXT [t^u O /l, TT^ O h) =ui^aXT {f , d) ■ 

□ 

2.6. Natural Numbers. We define the type of natural numbers as 

N = n a. (a ^ a) — > Q ^ Q. 

We further define terms : N, s : N — o N as 

= Aa. A/ : a — o a. \°x : a.x, s = X°y : N. Aa. Xf : a ^ a. X°x : a. f{y a If x) 

and prove that (N, 0, s) is a weak natural numbers object in each LinType=, and, using 
parametricity and extensionality, an honest natural numbers object. 

Suppose we are given a type a, a term a: a and a morphism b: a —o a. We can then 
define h: N ^ a as h{y) = yalba. Then clearly /i(0) = a, and h{sx) = h{xa\ba) = b[h{x)), 
so (N, 0, s) is a weak natural numbers object. 

We can express the weak natural numbers object property as: for all a, 6, there exists 
an h such that 




commutes. 

Lemma 2.12. Identity Extension and extensionality implies 

Proof. Suppose we are given cr, a, b and define h as above. Since b o h = h o s and /i = a, 
we have s{{h) {h))b and 0{h)a, by parametricity of x, {x N !s 0){h){x a lb a), i.e., 

(xN!sO)cr!6a xa\ba. 

Letting a range over all types and a, b over all terms, using extensionality and Lemma [1.37^ 
we have 

x N !s =f!j X, 

as desired. □ 
We can now prove that N is a natural numbers object in each LinType=. 

Lemma 2.13. Assuming identity extension and extensionality, given a,a,b, the map h 
defined as above is up to internal equality the unique h' such that h'{0) = a, h'{sx) = b{h' x). 

Proof. Suppose h' satisfies the requirements of the lemma. Then s{{h') {h'))b and 0{h')a 
(this is just a reformulation of the requirements), so for arbitrary N, by parametricity of 

X, 

xa\ba=„ h'{x N Is 0) =^ h'{x). 
Thus, by extensionality, h' =n^a h. □ 
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2.6.1. Induction principle. The parametricity principle for the natural numbers implies, 
that R : AclmRel(N, N), and x: N, then 

(x N)((i? ^ R) ^ R){xN). 

So if s{R R)s and R{0,0), then 

(xN!sO)i2(xN!sO). 

By Lemma l2.12| x N !s =n x, so we can conclude that R{x,x). If is a proposition on 
N such that (x: N, y: N).(f){x) is admissible, then from parametricity we obtain the usual 
induction principle 

(0(0) A Vx : N. (p{x) D 0(s(x))) D Vx : N. (j){x). 
2.7. Types as functors. 

Definition 2.14. We say that aha: Type is an inductively constructed type, if it can be 
constructed from free variables a and closed types using the type constructors of PILLy, 
i.e., — o, (g), /, ! and Yl ol.. 

For example, all types of pure PILLy are inductively defined, and if a is a closed type 
then ]^ a. 0" X a is an inductively constructed type. However, some models may contain 
types that are not inductively constructed! For example, in syntactical models, any basic 
open type, such as the type a h lists{a) is not inductively constructed. 

We define positive and negative occurrences of free type variables in inductively defined 
types as usual. The type variable a occurs positive in the type a and the positive occurrences 
of a type variable a in a ^ r are the positive occurrences of a in r and the negative in a. 
The negative occurrences of a in o" — o r are the positive in a and the negative in r. The 
positive and negative occurrences of a in ]^ /3. u are the positive and negative occurrences 
in fj for a ^ (3. The rest of the type constructors preserve positive and negative occurrences 
of type variables. 

If a{a,f3) is an inductively defined type in which the free type variable a appears only 
negatively and the free type variable (3 appears only positively, then we can consider a as 
a functor LinType^^ x LinType^ — > LinType^ for each H by defining the term 

: n «, /3, «',/?'• (a ^ a) ^ (/3 ^ ^ a(a, (3) ^ a{a' , p'), 

which behaves as the morphism part of a functor, i.e., it respects composition and preserves 
identities. We define M„(^a,i3) by structural induction on a. This construction immediately 
generalizes to types with fewer or more than two free type variables, each of which appear 
only positively or only negatively. This idea of the functorial interpretation of types being 
representable by polymorphic terms has also been used in second order lambda calculus 
(see e.g. (RP90]). 

For the base case of the induction, if a{a,l3) = /?, define 

Mp = Ka,l3,a\l3'.\f,g.g. 

In the case cT(/3,a) ^ T{a,P) we define the term 

n a, P, a', (3'. {a' ^ a) ^ {(3 ^ p') (ct(/3, a) T{a, /?)) a{p', a') ^ T{a', P') 
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by 

^a(/3,a)^T{a,/3) = ^O, (3, «',/?'. A/, g. 

X°h: a{P,a) ^ T{a, l3).{Mr a (3 a' (3' f g) o h o {M„ (3' a' f3agf). 
For bang types, we define: 

M<7{a,/3) = I^a,P,a',P'.Xf: a' ^a.Xg: (3 ^ (3'. X°x: la{a,(3). 
let ly be x in !(M^(^^^) a P a' (3' f gy). 

For tensor types, we define: 

Ma{a,f3)(g)T{a,f3) = Aa, /?, A/, 5. A°2 : cr(a, f3) (g) T(a, 
let X (g) y : fT(a, /?) (g) r(a, (3) be 2; in (M^a (3 a' (3' f g x) ® {Mra I3a' 13' f gy). 

The last case is the case of polymorphic types: 

MY\^.a(a,p) = Aa,P,a',f3'.Xf,g.X°z: llu;.a{a,P). 
Auj : Type. M^(„_^) a (3 a' P' f g {z uj). 

Lemma 2.15. The term M„ respects composition and preserves identities, i.e., for f : a' —o 
a, f: a" ^ a', g: (3 ^ 13', and g' : (3' ^ (3", 

• M,^^^p^af3a"l3"\{fof')\{g'og) = {M,^^^p^a'P'a"P"\f\g')o{M,^^^p)af3a'f3'\f\g), 

• M^(^a,p)a (3 a P \idalidi3 = id^(^a,f3)- 

Proof. The proof proceeds by induction over the structure of a, and most of it is the same 
as m |PA93j . except the case of tensor- types and !. These cases are essentially proved in 
|Bar97j . □ 

Notice that in the proof of Lemma 12.151 we do not need parametricity. Suppose 

E \ - h f : a' ^ a, g: P ^ P' . 

We shall write a{f,g) for 

M„(„,^)a/3a' p'lflg. 

The type of cr{f,g) is a{a,P) —o a{a',P'). Notice that we apply M to !/, \g, since M is of 
intuitionistic function type instead of — o). By the previous lemma, a defines a bifunctor 
LinType^* x LinType= LinType^ for each H. 

First we consider this in the case of only one argument: 

Lemma 2.16 (Graph lemma). Assuming identity extension, for any type a \- a with a 
occurring only positively and any map f : t ^ t' 

^[(/)] ^ i^if))- 

Likewise, suppose a \- a' is a type with a only occurring negatively. Then identity extension 
implies 

^[(/)] ^ (^(/))°^ 
where (<t(/))°p is {x: a{T),y: a{T')). {a{f)){y, x). 

Proof. We will only prove the first half of the lemma; the other half is proved the same 
way. Since a occurs only positively in a, we will assume for readability that Ma- has type 
Ua,p. {a^P)^a{a)^a{p). 

By parametricity of M^, we have, for any pair of admissible relations p: AdmRel(a, a') 
and p': AdmRel(/?, /?'), 

(Ma a P){{p ^ p') ^ ia[p] -o a[p'])){Ma a' P'). (2.1) 
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Let / : r — o r' be arbitrary. If we instantiate (j2.1l) with p = eqr and p' = (/), we get 

{M^ T T){{eqr ^ (/)) ^ (eg,(,) ^ a[(/)]))(M, r r'), 
using the identity extension schema. Since idr{eqr —° {f))f, 

lidrKeqr (/))!/, 

and using Mq- t t' \ f = a{f) we get 

ida{r){eqa{T) 

yx:a{r).x{a[{fma{f)x). 
We have thus proved imphes C7[(/)]. 

To prove the other direction, instantiate (12. ip with the admissible relations p = (/), 
p' = eqr' for / : r ^ r'. Since /((/) —° eqr')idr', 

f^(/)(0-[(/>] ^ e9<T(r'))^'^^T{T')- 

So for any x: cr(r) and y: (t{t') we have x{a[{f)])y implies a{f)x =o-(t') ?/• This just means 
that a[{f)] implies {a{f)). □ 



2.8. Existential types. In this section we consider existential or sum types. If H, a h cr is 
a type, we define the type H h ]J q. a as 

In fact, this defines a functor 

LinType^ Q — > LinType= 

with functorial action as defined in Section 12.71 In this section we show that this functor is 
left adjoint to the weakening functor 

LinType= LinType= „ 

mapping a type H h o" to H, a h o". In other words, we show that for any type H h r, there is a 
one-to-one correspondence between terms H h t : (]J a. a) —or and terms H, a h o" ^ r if we 
consider terms up to internal equality provable using identity extension and extensionality. 
First define the term 

pack: PI Q. ((7 — o ]J a. cj) 
as Aa.A°x: a. Af3. X° f : Yla.{a — o (3).f ax. The correspondence is as follows. Suppose 
first H,a h t: a r. Then H h i: (JJa.cr) — o r is X°x: {Wa. a), x t (Aa.t). If S h 
s : (JJ a.a) —o T then H, a h s : a ^ r is defined to be Ax : a. s{pack a x). 
Now, suppose we start with a term H, a h t : a ^ t then 

t = X°x:a.{X°y: Y[a.a.y t (Aa.t)) {packa x) 
= X°x: a. packa X T (Aa.t) 
= X°x : a. {Aa. t) a x 
= t. 

It remains to prove that s is equal to s for any H h s: (JJa.cr) — o r. For this we need to 
use identity extension. 
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Lemma 2.17. Suppose x: ]Ja. o", r, r' are types and f:T—oT',g: Yla. a —o t. Then 
using identity extension and extensionality, 

X t' (Aa. f o{g a)) f {xt g) 

Proof. Using identity extension on g it is easy to see that gij\ a.a ^ {f))Aa. f o (g a). If 
x: ]J a. cr then by identity extension 

XT g{f)xT' (Aa. /o [g a)) 
which is what we needed to prove. □ 
Lemma 2.18. It is provable using identity extension and extensionality that 

\/x: (]Ja.cr).x Y[a. a pack =y^^^ x 
Proof. Suppose we are given j3 and / : a. cr ^ /?. We show that 

X f =p X (]J a. a) pack (5 f 
Define f = X°x: (JJa. a) x (3 f oi type (JJa.a) ^ p. By Lemma \TT7\ 

X (3 (Aa. /' o (pack a)) =p f'{x ]J[ a. cj pack) =p x Wa.a pack (3 f 
so we just need to show that Aa. /' o [pack a) is internahy equal to /. But 
Aa. /' o (pack a) ay =p f {pack ay) =p pack ay [3 f =p f ay. 

□ 

Proposition 2.19. Suppose H h s: (IJa. cr) t. It is provable using identity extension 
and extensionality that s is internally equal to s. 

Proof. 

s{x) =r X T (Aa. X°x' : a. s (pack a x')) =r s (x \Ja.a pack) =r s x 
where for the second equahty we have used Lemma 12.171 □ 
Parametricity induces the following reasoning principle for existential types. 

Proposition 2.20. Forx,y: Y[a.a{a) the following is equivalent to internal equality of x 
and y. 

3a, f3,R: AdmRel{a, (3), x : a{a),y' : a{(3).x = packa x' Ay = pack [3 y' A a[F{\{x' , y'). 
As a special case we get the following principle: 

Vx: ]J[ a. cr(a). 3a, x' : a{a).x =Y[a.a{a) packa x' 
Proof. Let us for simplicity write x foi" 

(x, y). 3a, I3,R: AdmRel(a, f3),x' : cr{a), y : a{f3).x = packa x' A y = pack (3 y A a[R\{x\ y'). 

We now prove that, for any pair of types r, r', any admissible relation S: AdmRel(r, r'), 
and any pair of maps t,t' we have 

{t,t'): equ^„ S 

iff 

(t,t'):x^S 

and the two implications of the first part of the proposition follows from the case of t, t' 
both being identity and taking S to be respectively x ^Qjja.a- 
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First notice that 

S I x,y\-x{x,y) D S{t{x),t'{y)) 

E,a,P\R: AdmRel(a, /?) | x,y,x',y' h a[R]{x',y') D S{t{packa x'),t' {pack (3 y')) 

S,a,/3 I R: AdmRel(a, /3) | x' ,y' h (7[R]{x' ,y') D S{i{x'),t' {y')) 
so it sufHces to show that 

S I X, y h X =l[a.a{a) y D S{t{x),t' {y)) 

S,a,/? I i?: AdmRel(a,/?) | x',y' h c7[ii:](ar', y') D S{i{x'),i'{y')) 

i.e., that preserve relations iff (t, ?) do. 

First assume {t, t') preserve relations. By parametricity of pack, 

{pack a, pack (3): (t[R\ —o eq, 

and so since i = to {pack a) and i' = t' o {pack (3) the pair (i, i') preserve relations. On the 
other hand, if (t, i') preserve relations then 

(Aa. i, Ap. i') : Va, /3, i?: AdmRel(a, p). a[R] -o S, 

and so by parametricity, if eq^^^(^^-^{x,y) then 

{t{x),t'{y)) = {x l[a.(7{a) {Aa.i),y l[a.a{a) {Ap.i')) € S 

□ 



2.9. Initial algebras. Suppose a\- a: Type is an inductively constructed type in which a 
occurs only positively. As we have seen earlier, such a type induces a functor 

LinTypes — > LinTypes 

for each H. We aim to define an initial algebra for this type. 
Define the closed type 

//a. a{a) = Y\a- (c"(q;) — o a) — > a, 

and define 

fold: Y\o:. (cr(a) — o a) — >■ {fj,a.a{a) —o a) 

as 

fold = Aa. Xf : cr{a) — o a. X°u: jia. cy{a). u a !/, 

and 

in: a{iJ,a. a{a)) -o iJ,a.a{a) 

as 

inz = Aa. Xf : (T{a) — o a. f{a{folda !/) z). 

Lemma 2.21. For any algebra f: cr(r) — o r, foldrlf is a map of algebras from {fj,a. cr{a), in) 
to {T,f), i.e., the diagram 

a{iJ,a.a{a)) — — °^a.a{a) 



aifoldrlf) 

a{T) 



foldrlf 



-or 



commutes. 
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Proof. For x: a{iia. a{a)) 

{foldr If) o inx = inx T If = f{a{foldT If) x), 

as desired. □ 

In words we have shown that in defines a weakly initial algebra for the functor defined 
by a in LinType= for each H. Notice that parametricity was not needed in this proof. 

Lemma 2.22. Suppose H | F; — h /: 0"(r) r and H | F; — h (7: cr{uj) u) are algebras 
for a, and H|F;— |-/i:r— olj is a map of algebras, i.e., h f = g a[h). Then, assuming 
identity extension and extensionality, 

h o (foldr If) =f,a.a{a)^ folduj Ig. 

Proof. Since /i is a map of algebras 

f{{a{h)) ^ {h))g, 

so by the Graph Lemma ()2.16p 

f{a[{h)] - {h))g 

and by Lemma 11.331 

If mm - {h)))ig. 

Clearly (fold, fold) £ 

^QYla-(o'{a)^a)—y{fia.a{a)^a) J &iid thus, by identity extension, 
{fold, fold) e H"- (o"(a) ^ a) ^ (/3 ^ a)[eq^a.a{a)/P], 
so for any x: fj,a. cr{a), 

(foldr \fx){h)ifoldio\gx), 

i.e., 

h o {foldr If) =^a.a{a)^ folduj \g, 
as desired. □ 

Lemma 2.23. Using identity extension and extensionality, 

foldfxa.aia) Hn =^a.a(a)^t^a.a(a) id^a.a(a)- 

Proof. By Lemma 12.221 we know that for any type r, /: (t(t) — o t and u: ^a.a{a) 

(foldr If) o (fold fia. o'(a) lin) u =r foldr If u. 
The left hand side of this equation becomes 

foldr If (u fia. o"(a) lin) = (u fia. a(a) \in)r !/ 
and, since the right hand side is simply 

MT !/, 

the lemma follows from Lemma 11.371 □ 

Theorem 2.24. Consider an algebra H | — ; — h /: o'(r) r and a map of algebras 
r, \ —;— \- h: fia.a(a) — o r from in to f. Then if we assume identity extension and 
extensionality, h =^a.a(a)^T foldr If. 

Proof. By Lemma 12.221 we have 

h o (foldfia. a(a) lin) =f,a.a{a)^T foldr If. 

Lemma 12.231 finishes the job. □ 
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We have shown that in defines an initial algebra. 

In the logic, the initial algebras also satisfy an induction principle. We now show the 
following (relational) induction principle. 

Theorem 2.25 (Induction). Suppose R : AdniRel{fia. (T{a), fj,a. a^a)) satisfies 

{in, in) : a[R] —o R. 

Then 

Vx: fia.a{a). R{x,x) 

Remark 2.26. The induction principle speaks about relations since it is obtained as a con- 
sequence of binary parametricity. In case one also has unary parametricity available (for 
some notion of admissible propositions), applying the proof of Theorem 12. 251 to unary para- 
metricity will yield the well-known propositional induction principle: If <j) is an admissible 
proposition on fia.a{a), then 

(Vx : a{iJ,a. cj(a)). o"[</)](x) D (t){in x)) D Vx : fia. a{a). (p{x) 

Proof of Theorem \2.25l By parametricity, for any x: fia.a{a), 

x{ya,/3,R: AdmRel(a, /?). (o-[i?] ^ R) R)x 

The assumption states that {in, in) : a[R] —o R and so by Lemma 11.331 

(!m,!m): l{a[R\ ^ R). 

Thus 

R{x fj,a. a{a) lin, x ^a. a{a) \in). 
Finally, Lemma 12.231 tells us that x fia. a{a) lin = x, which proves the theorem. □ 

2.10. Final Coalgebras. As in section [2^91 we will assume that a h a{a) : Type is a type in 
which a occurs only positively, and this time we construct final coalgebras for the induced 
functor. 
Define 

ua. a{a) =Y[a. !(a ^ o-{a)) a = H (H o;- (K"^ ~^ <^('^)) ® a ^ P)) P 
with combinators 

unfold: ]^ a. (q — o cr(a)) — > q ^ i^a. cj(a), 
out: va. a{a) — o a{i/a. cr{ct)) 

defined by 

unfold = Aa. X° f : l{a —o a{a)). X°x: a. packa {f x) 
out = X°x: i'a.a{a).x a{i'a.a{a)) r, 

where 

r : PI a. !(a — o a{a)) ® a —o a{va. cr(a)) 
r = Aa. X°y : \{a —o a{a)) ^ a.let w ^ z he y in a{unfold a u;)(let If be w in / z). 

Lemma 2.27. For any coalgebra f : t ^ <^{'t), the map unfoldr !/ is a map of coalgebras 
from f to out. 
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Proof. We need to prove that the following diagram commutes 

^ a(r) 

cr{unfold t !/) 



unfold T !/ 

va. a{a) — '^^a{va. a{a)). 

But this is done by a simple computation 

out{unfoldT If x) = out{packT{\f) ® x) 

= packT{\f ) ® X a{va. a{a)) r 

= rT{{\f)^x) 

= a{unfoldT{\f)){fx). 

□ 

Lemma 12.271 shows that out is a weakly final coalgebra for the functor induced by a on 
LinType^ for each S. Notice that parametricity was not needed here. 

Lemma 2.28. Suppose h: t —o t' is a map of coalgebras from f'.T^ ^{t) to f'-.r'—o 
(T(r'). If we assume identity extension, then the diagram 

unfold T If 

T '■ oua. (j[a) 




commutes internally. 

Proof. Using the Graph Lemma, the notion of h being a map of coalgebras can be expressed 



as 



□ 



fi{h)^a[{h)])f'. 

Now, by parametricity of unfold, 

unfoldT\f{{h) ^ eq^a.aia)) unfold t' If, 
which is exactly what we wanted to prove. 
Lemma 2.29. Given linear contexts C and C , suppose 

\/x : a.My: r. C[x ® y] =uj C'[x y]. 

then 

y z : a ® T. let x ® y he z in C[x y] =uj let x y he z in C'[x ® y] 
Proof. Consider 

/ = \°x: a.X°y: T.C[x0y] f = X°x: a.\°y: T.C'[x®y] 

then 

/ {eq„ -o CQr eq^) f. 
If z : a ®T then by identity extension eq^ eq^{z, z). By definition of eq^ ® eq.^ we have 

let X ® x' he z m fxx' =^ let x x' be z in f'xx' 

which proves the lemma. □ 
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Lemma 2.30. Using extensionality and identity extension, 

unfold ua.a{a) lout 
is internally equal to the identity on va.a{a). 

Proof. Set h = unfold ua. a{a) lout in the following. 

By Lemma 12.271 /i is a map of coalgebras from out to out, so by Lemma 12.281 h = h?. 
Intuitively, all we need to prove now is that h is "surjective" . 

Consider any : ]^a. (!(a — o ® a —o For any coalgebra map k : a ^ a' from 

f : a —o a{a) to f':a'—o o"(a'), we must have, by Lemmas 12.161 [L33t and 11.321 

{lf®x)ili{k)^a[{k)])®{k)){lf®kx), 

so by identity extension and parametricity of g, 

Vx : a. g a (If) ® x =p g a {If') ® k{x). 

Using this on the coalgebra map unfold a If from / to out we obtain 

Vx : a.g a {If) ^ x =p g va. a{a) {lout) unfolda If x. 

By Lemma 11.371 this implies that 

V/ : l{a — o a{a)),x : a. g a f ^ x =p g va. a{a) {lout) unfolda f x, 

which implies 

Vz : !(a — o cr(a)) ® a. g a z =p g ua. a{a) (let / (8> x be z in {lout) unfolda f x) 

using Lemma 12.291 

In other words, if we define 

k: n a. (!(a — o (T(a)) (g) a ^ r), 

where r =l{va. a{a) —o o{va. (y{a))) ® va. cr(a), to be 

k = Aa. X°y :!(a ^ cr{a)) a. let f ® x he y in {lout) ® unfolda f x, 

then 

Va. g a =\{a^a{a))(g)a^f3 {d ^OL. (j{a)) o{ka). (2.2) 
Now, suppose we are given a,a' , R: Rel(a, a') and terms /, /' such that 

f{l{R^a[R])®R)f'. 
Then, by ()2.2p and parametricity of g 

9 a f =f3 g a' f =f3 {g va. a{a)){k a' /'), 

from which we conclude 

c/(V(q, /3,R: Rel(a, /?)). {1{R -o a[R]) ® R ^ {g va. a{a))°P))k. 

(Here we use 5"°^ for the inverse relation of S.) Using parametricity, this implies that, for 
any x: va.cr{a), we have 

X P 9 =(3 9 J^a. a{a) (x r k). 
Thus, since g was arbitrary, we may apply the above to g = k and get 

X T k =r k va. a{a) (x r /c) = let / (8> z be (x r k) in {lout) (8> unfolda f z. 
If we write 

I = Xx: va. a{a). let f ® z be (x r k) in unfold a f z, 
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then, since is a closed term, so is /, and from the above calculations we conclude that we 
have 

V/3. Vg : Yla.\{a —o a{a)) a ^ (5.x j3 g =p g va. a{a) (lout) (l x). 
Now, finally, 

h{l x) = unfold I' a. a (a) lout {I x) 
= pack V a. a {a) lout {I x) 

= A/3. : n a. (!(q — o fT(a)) ® a ^ 13). g va. a(a) lout ® (/ x) 
=uc.a(o,) A/3. Ag : n (K" cr(")) (®a^ (3).x [3 g 
= X, 

where we have used extensionality. Thus I is a right inverse to /i, and we conclude 

^ X va.a{a) ^ x) voi.a{a.) ^(^ x) voi.a(a) X. 

□ 

Theorem 2.31. Suppose H | — \- f : t —o a{T) is a coalgebra and H | — ; — h /i: r ^ 
fia. a{a) is a map of algebras from f to out. Then if we assume identity extension and 
extensionality h =r^/xa.cr(«) unfold a If. 

Proof. Consider a map of coalgebras into out: 

~ ocr(r) 

va. a{a) — °-^a{ya. o{aj). 
By Lemmas YTM and YTM 

unfoldT If =r^va.a{a) {unfoM va. a{a) lout) o g =^^^^ ^(^^^ g. 

□ 

Theorem 12.311 shows that out is a final coalgebra for the endofunctor on LinType^ 
induced by a for each H. 

We now show how the final coalgebras satisfy a coinduction principle. 

Theorem 2.32 (Coinduction). Suppose that R: AdmRel{va. a{a),i'a. a{a)) is such that 

(out, out) : R ^ a[R\. 

We then have that 

Vx, y : va. a{a). R{x, y) D x =yoc.a(o,) V- 

Proof. Suppose R: AdmR.e\{va. a{a),va. a{a)) satisfies {out, out): R — o a[R] and R{x,y). 
By parametricity of 

pack: Yl ct- ~° ^i'^)) ct —o va. a{a) 

we have 

packva. a{a) lout® x =i,a.a{a) packva. a{a) lout®y 

and by [2301 

pack va. cr{a) lout ® x =^a.a{a) x 
pack va. (j{a) lout ® y =ua.a{a) V 
which proves the theorem. □ 



LINEAR ABADI & PLOTKIN LOGIC 



37 



The next theorem is an interesting generahzation of Theorem 12.321 stating that the 
assumption of admissibihty in the coinduction principle is unnecessary. A similar result 
was proved by Pitts in the setting of coinductive types in the category of domains |Pit95j . 
To state this theorem we need again to use the general hypothesis of this section that 
a is an inductively defined type, since in this case we can define cr[B\ for general (not 
just admissible) relations inductively over the structure of a using the constructions of 
Section [1.2.2[ Recall that for more general types a the construction (j[R\ is defined as in 
Figure H] for admissible relations R only. 

Theorem 2.33 (General coinduction principle). Suppose R: RQ\{ua. a{a),va. a{a)) is a 
relation such that {out, out) : R —o a[R], then 

\/x,y: ua.a{a).R{x,y) D x =ua.aia) V 

Proof. Suppose R: Re\{i'a.a{a),i'a.a{a)) is any relation satisfying {out, out): R a[R]. 
The idea of the proof is to use Theorem 12.321 on the admissible relation ^{R). Since by 
Lemma 11.351 <l> is a functor, 

{out, out): <^>{R) ^ $(o-[i?]), 

and since a[^{R)] is an admissible relation containing cr[i?] , and <I>(cr[i?]) is the smallest 
such, we have ^{a[R]) C a[^{R)] and so 

{out, out): $(i?) ^ cr[<^{R)]. 

Now, the coinduction principle for admissible relations gives us 

yx,y: va.a{a).^{R){x,y) D x =^a.a{a) V 

and so the theorem follows from R C ^{R)- D 

2.11. Recursive type equations. In this section we consider inductively constructed 
types a h cr{a) and construct closed types rec a. a{a) such that C7(rec a. cr{a)) = rec a. a{a). 
In Sections 12.91 and 12.101 we solved the problem in the special case of a occurring only pos- 
itively in o", by finding initial algebras and final coalgebras for the functor induced by a. 

This section details the sketch of |Plo93j , but the theory is due to Preyd |Fre90bl IFre90al 
IFre91j . In short, the main observation is that because of the presence of fixed points, the 
initial algebras and final coalgebras of Sections l2. 9112. 10] coincide (Theorem l2.39l below). This 
phenomenon is called algebraic compactness, and was studied by Preyd in loc. cit.. Using 
Freyd's techniques we find solutions to recursive type equations as advertised, and show 
that they satisfy a universal property called the initial dialgebra property. Moreover, we 
generalize the induction and coinduction properties of Theorems 12. 25^ 12.331 to a combined 
induction/coinduction property for recursive types. In Section 12.131 we treat the case of 
recursive type equations with parameters. 

Before we start, observe that we may split the occurrences of a in o" into positive and 
negative occurrences. So our standard assumption in this section is that we are given a 
type a,P h a {a, (3), in which a occurs only negatively and f3 only positively, and we look 
for a type rec a.a{a,a) isomorphic to a{iec a. a{a, a),icec a. a{a,a)). In this notation, 
rec a. a{a, a) binds a in a. 
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2.11.1. Parametrized initial algebras. Set uj{a) = cr(a, /3) = /3. (cj(a, /?) ^ (3) ^ (5. 
Now, w induces a contravariant functor from types to types. 

Lemma 2.34. Assuming identity extension and extensionality, for f : a' ^ a, up to inter- 
nal equality io{f): uj(a) ^ uj{a') is the unique h such that 

a{a,u>{a)) — — — ^u>{a) 

a{id,h) 

a{a, ui{a')) 
a(a' ,u!{a')) — ''■^^u>{a') 

commutes internally. 

Proof. One may define in as a polymorphic term 

in: Y\a. a{a,uj{a)) —o u;(^a) 

by 

in = Aa. X°z: ct(q, uj{a)). A/3. A/ : a{a, (5) — o j3. f{a{Xx : a. x,foldf3 If) z). 
By parametricity we have 

ma'iai{f),u;{{f)))^u;{{f)))zna, 

which, by the Graph Lemma (Lemma 12. 16p . means that 

tna'{{a{f,u;{f))r^{u;{f)Dzna, 

which in turn amounts to internal commutativity of the diagram of the lemma. 

Uniqueness is by initiality of in (in LinType^, proved as before) used on the diagram 

a{a,u>{a)) — ouj{a) 

a-{id,h) 



o"(a,cj(a jj 0(T(a ^LO\a )) ^ujya ). 



□ 



2.11.2. Dialgebras. 

Definition 2.35. A dialgebra for cr is a quadruple (r, r', /, /') such that r and r' are types, 
and /: (T(r',r) r and /': t' —o a{T,T') are morphisms. A morphism of dialgebras from 
dialgebra (tq, r^, /o, /q) to (n, r{ , /i, /() is a pair of morphisms /i : tq ^ n, /i' : r( ^ r^, 
such that 



/o 



a{h',h) 



/I 



/' 



a{h,h') 



JO 
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Lemma 2.36. // {h, h') is a map of dialgebras and h, h' are isomorphisms, then {h, h') is 
an isomorphism of dialgebras. 

Proof. The only thing to prove here is that (/i^^, (/i')^^) is in fact a map of dialgebras, 
which is trivial. □ 

Remark 2.37. If we for the type a, /3 h u: Type consider for each H the endofunctor 

(cr°P,o-): LinType°P2 x LinType^ -> LinType°Ps x LinTypeg 

defined by (a, /3) i— > ((t(/3, a), cr(a, then dialgebras for a are exactly the algebras for 
(cr°P,(j), maps of dialgebras are maps of algebras for {a°^,a) and initial dialgebras corre- 
spond to initial algebras. Dialgebras as considered here are a special case of what Hagino 



calls F, G-dialgebras in his thesis Hag87 , for F being ((T°p,cj) and G being the identity 
functor. 

Theorem 2.38. Assuming identity extension and extensionality, initial dialgebras exist for 
all functors induced by types cr{a,f3), up to internal equality. 

Proof. In this proof, commutativity of diagrams will mean commutativity up to internal 
equality. 

Set uj{a) = a{a, P). Then, u; defines a contravariant functor. Define 
t' = va. (T(a;(a), a), r = w(t') = /i/3. cT(r', /?). 
Since r' is defined as the final coalgebra for a functor, we have a morphism 

out: t' — o ^((^(r'), r') = o"(r, r'), 
and since r is defined to be an initial algebra, we get a morphism 

in: (t(t', r) — o r. 

We will show that {t,t', in, out) is an initial dialgebra. 

Suppose we are given a dialgebra (tq, Tq, g, g'). Since in is an initial algebra, there exists 
a unique map a, such that 

a{id,a) 

O"(^0'^0) 

and thus, since out is a final coalgebra, we find a map h' making the diagram 

T^^^(ro,r^)"-^a(a;K),r^) (2.3) 

a{uj{h'),h') 

r' °^(t^(r'),r') 

commute. Set h = a o uj{h'). We claim that {h,h') defines a map of dialgebras. The 
second diagram of Definition 12.351 is simply (|2.3|) . The first diagram of 12.351 follows from 
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the commutativity of the composite diagram 

a{h',Lo{h')) 

I) h 

a{id,a) a 
/ / \ 3 i 



(2.4) 



where the top diagram commutes by Lemma 12.341 

Finally, we will prove that {h,h') is the unique dialgebra morphism. Suppose we are 
given a map of dialgebras (k,k') from {t,t' ,in,out) to (tq,Tq, g, g'). By the first diagram 
of Definition 12.351 we have a commutative diagram 

(T(r , t) or 

(T(i(i,fc) 

o-(r , To) oa(ro, To) oTq. 



Since clearly ()2.4p also commutes when k' is substituted for /i', by (strong) initiality of fn, 
we conclude that k =t^t' <^ ° uj{k'). Finally, by the second diagram of Definition 12.351 we 
have commutativity of 



To ocj(ro, Tg) ocj(cj(To), To) 



out 



a{oj{k'),k') 



.a(u;(r'),r') 



So since out is a final coalgebra we conclude k' 



^, h'. 



□ 



2.11.3. Algebraic compactness. As advertised in the introduction to this section, the pres- 
ence of fixed points makes initial algebras and final coalgebras coincide. 

Theorem 2.39 (Algebraic compactness). Assuming identity extension and extensionality, 
for all types a h cr{a) in which a occurs only positively, in~^ is internally a final coalgebra 
and out"^ is internally an initial algebra. Furthermore in~^ and out"^ can be written as 
terms of PILLy • 



Proof. By Theorems 12.241 and 12.311 in is an initial algebra, and out is a final coalgebra for 
a. Consider 

h = Y [va. c(a)) —o fia. a{a) (A/i : z/a. a{a) — o fia. a{a). in o a{h) o out). 
Since y is a fixed-point operator, we know that 

a{i'a. cr{a)) — va. a{a) 

cr{h) h 

a{na. a{a)) o/xa. o"(a) 
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commutes. Since in is a coalgebra, we also have a map k going the other way, and since 



va.(j(a)—ova.a{a) 



id 



^a.aia) — o^a.cr(a) ^dfia.a{a)- So in 



ua.a(a) ■ Since in is an initial algebra, we 
~^ = out as coalgebras and out~^ = in as 

□ 



out is a final coalgebra, k o h 
know that h o k 
algebras, internally. 

Lemma 2.40. Assume identity extension and extensionality. Let (r, r', in, out) be the initial 
dialgebra from the proof of Theorem \2.38i Then (r', r, out~^, in~^) is also an initial dialgebra 
internally. 

Proof. In this proof, commutativity of diagrams is up to internal equality. 

Suppose we are given a dialgebra {to,Tq, g, g'). We will show that there exists a unique 
morphism of dialgebras from {t',t, out~^, 



By Theorem I2.39( for all types 



in ^) to {To,Tl),g,g'). 
a, in~^ : Lu{a) — o a{a,uj{a)) is a final coalgebra for 
the functor /? i-^^ a{a,P), and out~^ : (t{t,t') — o t' is an initial algebra for the functor 
a I— > a{uj{a), a). 

Let a be the unique map making the diagram 



a{id,a) 

— A. -0 

commute. Define h to be the unique map making 



0" r, r 



out 



(2.5) 



cr{u){h),h) 

cr(u;(ro),ro) ocr(r^,ro) 

commute. We define h' to be Lo{h)oa and prove that (/i, h') is a map of dialgebras. The first 
diagram of Definition 12.351 is simply (j2.5p . Commutativity of the second diagram follows 
from commutativity of 

t'o ^cr(ro,r^) 



(2.6) 



w(ro) 

u){h) 



(7{id,a) 
-oa{To,Uj{To)) 

a{h,Lj{h)) 



where commutativity of the last diagram follows from Lemma |2. 341 

Finally, we will show that if {k, k') is another map of dialgebras from the dialgebra 
(T',r, out~^, in~^) to {tq,Tq, g, g') then h =r'^To k and h' =tI,^t ^' ■ By the second diagram 
of Definition 12.351 we know that 



To °cr(ro. To) °a(T , Tq) 



(2.7) 



a{id,k') 
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commutes. Clearly, if we substitute k for h in ()2.6I) . we obtain a diagram that commutes 
by Lemma 12.341 So, using the fact that in~^ is a final coalgebra on ()2.7p . we get k' =^^^^ 
o a. 

The first diagram of Definition 12.351 implies that 

a[T,T ) ^t' 

a{Lj{k),k) 



a{a,id) , , . 

o-(u;(ro). To) °o"(to, tq) 



commutes. Comparing this to 



we obtain h 



k, by initiality of out ^. 



□ 



Theorem 2.41. Assuming identity extension and extensionality, for all types (T{a,f3) where 
a occurs only negatively and (3 only positively, there exists a type rec a. cr(a, a) and an 
isomorphism 

i: a{rec a. a{a, a), rec a.a{a,a)) —o rec a.a{a,a), 
such that {rec a.a{a,a), rec a.a{a,a),i,i~^) is an initial dialgebra up to internal equality. 

Proof. As usual commutativity of diagrams will be up to internal equality. 
We have a unique map of dialgebras 

{h, h') : (r, r', in, out) (r', r, out^^, in^^) 

We claim that {h',h) is also a map of dialgebras from (r, r', in, out) to (r',r, out~^, in~^). 
To prove this we need to prove commutativity of the diagrams 



cT(r',r) 

a{h,h') 

a{T,T') 



-or 



out 



h' 



out 



a(h',h) 



'(j{t, t') 



but the fact that {h, h') is a map of dialgebras tells us exactly that 



a{T',T) 
a{h',h) 

CT{T,r') 



out 



out 



-°a{T' , t) 

cr{h,h') 

«cj(r, t'). 



and these two diagram are the same as the above but in opposite order. Thus, by uniqueness 
of maps of dialgebras out of (r, r', in, out), we get h =t^t' h' ■ Since {h, h) is a map between 
initial dialgebras, h is an isomorphism. 

Now define /: a{T,T) — o r to be inoa{h^^ , id-j-). Then clearly {idr, h~^) is a morphism 
of dialgebras from {t,t, f , f^^) to {t,t' , in, out), since the diagrams proving {idr,h~^) to 
be a map of dialgebras are 



a[T, T) o a(T ,T) e r 



out 



(T(/i-i,id) 

(j(r',r) 



id 



-ocr(r, T ) 

a{id,h-^) 



-or 



r =::: 



1 , , o(h,id) , ^ 

l ^i'T ^ zzgQ'(r, r). 
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Clearly the first diagram commutes, and the second diagram is just part of the definition 
of {h,h) being a map of dialgebras. Thus {idr,h~^) defines an isomorphism of dialgebras 
from (r, r, /, /~^) to (r, r', in, out), as desired. □ 

Notice that the closed terms rec a.a{a,a) -« cr(rec a. a{a, a),icec a.a{a,a)) and 

a{vec a. a{a, a), rec a. a{a, a)) —o rec a. a{a, a) 

always exist, independent of the assumption of parametricity. Parametricity implies that 
they are each others inverses. 

2.12. A mixed induction/coinduction principle. Here we prove the following reason- 
ing principle for the recursive type rec a.a{a,a). This principle is the same as the one 
obtained by Pitts for recursive types in the category domains [Pit951 Cor 4.10]. Again, as 
noted before Theorem 12.331 we must assume that a is an inductively defined type to make 
sense of the relational interpretation of a at general non-admissible relations. 

Theorem 2.42. Suppose a,f3 \- a{a,f3) is an inductively defined type in which a occurs 
only positively and (3 only negatively. Suppose further 

: Re\{rec a. a{a, a), rec a. a{a, a)) and 
i?+ : : AdmRel(rec a. a{a, a), rec a.a{a,a)) 

are relations. Then the following principle holds 

(r\ r^) : R- a{R+,R-) {i, i) : a{R-,R+) R+ 

R C e^j-ec a.cr{a,a) ^ ^ 

where i denotes the isomorphism 

a{rec a. a{a, a), rec a. a{a, a)) — o rec a. a{a, a). 

Proof. We first prove the rule in the case of both relations being admissible. The proof in 
this case is a surprisingly simple consequence of parametricity. 

The proof of Theorem 12.411 is constructive in the sense that there is a construction of 
the maps h, h' constituting the unique dialgebra map out of the initial dialgebra from the 
given types iv,ijo' and terms t,t' . In fact, from the proof we can derive terms 

k: Y\uJ, oj' . {cr{uj' , lu) —o lo) —o ioj' —o a{ui, uj')) — o rec a. a{a, a) ^ uj 
y : Y\io, uj' . , w) ^ w) — o ioj' — o (t{ijJ, uj')) ^ uj' —o rec a. a{a, a) 

such that the maps h, h' can be obtained as 

h = k UJ uj' tt' 
h' = k' ujuj' 1 1' 

The exact constructions of k,k' are not of interest us right now — what matters to us 
is that we can use the assumption of parametricity on them. We consider the case uj = 
uj' = rec a.a{a,a) and t = i and t' = i"^. In this case of course h = h' = id. If we use 
parametricity of k' by substituting the relation R^ for the type uj' and R^ for uj then we 
get since 

id = k rec a. a{a, a) rec a. a{a, a) i i~^ 
{id, id) : R~ —o eq^^^ a.a{a,a)- Likewise, using parametricity of k we get 

{id, id) . Cf/i-ej, oi.a(a,a) ° ^ 
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which proves the theorem in the case of being admissible. 

For the general case, we just need a simple application of the closure operator of 
Lemma 11.351 So assume again 

(i-i,ri): R- -o a{R+,R-), 
a{R-,R+) R+, 

and i?^ is admissible, but R~ may not be. The idea is to use the case above on ^(R~) and 
R^ which are both admissible, but we need to check that the hypothesis still holds for this 
case. First, by $ being a functor 

(r\ri):$(i?-)^$Ki?+,i?-)). 

But, since a{R~^ ,^{R~)) is an admissible relation containing a{R~^ , R~), 

^a{R+,R-)) C a{R+,^{R-)) 

and so 

(r\ r^) : a{R+, «>(i?")). (2.8) 

Since a{^{R^),R'^) C a{R^,R'^) we also have 

{i, i) : a{^{R-),R+) R+. (2.9) 
Using the case of admissible relation proved above on (j2.8p and (|2.9p . we get 

^{R-) C eg,gc C R+ 

which together with i?^ C ^{R~) proves the theorem in the general case. □ 

2.13. Recursive type equations with parameters. We now consider recursive type 
equations with parameters, i.e., we consider types a, a h a{a,a) and look for types a h 
rec a.a{d,a) satisfying a{a,r:ec a.a{a,a)) = rec a.a{d,a). As before, we need to split 
occurrences of the variable a into positive and negative occurrences, and since we would 
like to be able to construct nested recursive types, we need to keep track of positive and 
negative occurrences of the variables a in the solution rec a. a{a, a) as well. So we will 
suppose that we are given a type a, /?, a, /3 h a(a, /?, a, /3) in which the variables a, a occur 
only negatively and the variables /3, /3 only positively. 

Of course, the proof proceeds as in the case without parameters. However, one must 
take care to obtain the right occurrences of parameters, and so we sketch the proof here. 

Lemma 2.43. Suppose a, /3, a, /5 h a{a, (3, a, [3) is a type in which the variables a, a occur 
only negatively and the variables (5, (5 only positively. There exists types a, 13 \- r(a, (3) in 
which a occurs only negatively and (5 only positively and d,f3 \- T'{a,f3) in which a occurs 
only positively and (5 only negatively and terms 

in: a{a, I3,t' (d, l3),T{a, 13)) —o T{d,l3) 
out: T'{d, (3) —o a{(3, a, T(a, (3), T'(d, /3)) 

such that for any pair of types a, f3 h uj^lo' , and terms 

g: a{d,f3,uj\uj) uj 
g': u}' ^ cr(/3, a, w, w') 
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there exists unique h, h' making 

C7(a, /3, r'(a, r(a, (3)) -^T{a, 0) 

a{a,l3,h',h) 

^ i g 



h' 



-°o-(/3, a, w, w') 

cr0,d,h,h') 



commute up to internal equality. 
Proof. Define 

uj{a,P,a) = fj,p. a{a, f3, a, P) 

T'{a,(3) = h'a. a{P, a,uj{a, (3,a), a) 

T{a,(3) = LL!{a, f3,T'{a, f3)) 

Notice tliat we liave swapped the occurrences of cS, /? in a in tlie definition of r', making all 
occurrences of a in r' positive and all occurrences of /? in r' negative. The rest of the proof 
proceeds exactly as the proof of Theorem I2.38[ □ 

Theorem 2.44. Suppose a,P,a,(3 h a{a, f3,a, (3) is a type as in Lemma \2.43\ Then there 
exists a type rec a. a{a, /3, a, a) with a occurring only negatively and f3 only positively, and 
an isomorphism 

i : a{d, (3, rec a. a{f3, a, a, a), rec a. a{a, /?, a, a)) — o rec a. a{a, P, a, a) 

satisfying the conclusion of Lemma \2.44\ with 

T{a,(3) = rec a. a{d, f3, a, a), 
T'{a,(3) = rec a.a{(3,a,a,a), 
i = in, 
out = i~^. 

Proof. Using Theorem 12.391 we can prove as in the proof of Lemma 12.401 that the pair 

out^^ : a{d, (3, t{(3, a), r'(/3, a)) -<• t'{I3, a) 
in~^ : r(/5, a) -o (T{f3, a, t'(/3, a), r(/9, a)) 

also satisfies the conclusion of Lemma 12.441 Proceeding as in the proof of Lemma 12.411 we 
get an isomorphism r(cS, (3) = T'{f3, a) up to internal equality, which implies the theorem. □ 

The mixed induction/coinduction principle of Theorem 12.421 can be generalized to re- 
cursive types with parameters as follows. 

Theorem 2.45. Suppose R^: AdmRel(a;+, and R_: AclmRel(a;_, are vectors of 
admissible relations, and 

5+ : AdmRel(rec a. cr(u;_, cl;+, a, a), rec a. a{Lo'_,uj'_^_,a, a)) 
S- : Re\{rec a. a{uj+,uj-,a, a), rec a. a{uj'^,uj'_,a, a)) 

are relations. Then the following rule holds: 

(i-\ri): S- a{R+,R-,S+,S-) {i,i): a{R-, R+, S-, S+) -<• S+ 

S- C rec a. a{R-^-,R-, a, a) rec a. cr(R_, R^, a, a) C 5+ 
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Proof. The proof proceeds as the proof of Theorem 12.421 and we start by considering the 
case where S- is admissible. This time the terms generating h, h' have types 

{(7{d, /?, Lj' , Lj) —o Lo) —o (u)' —o a{l3, d, uj, uj')) —o rec a. a{d, /3, a, a) —olo 

k': UdJ.Yl^,^'- 

{a{d, P, Lj' , Lo) —o Lo) —o iuj' —o a{(3, d, uj, uj')) —oLo'^ rec a. a{(3, a, a, a) 

Now, notice first that 

k cj^ rec a. cr (ti3+, d;_, a, a) rec a. 0"(t(3_, ci;+, a, a) ii^^ = id^.^^ a.a{ul+,u}-,a,a) (2-10) 

k' lJ-i- uj^ rec a. a{uj-^-,uj^, a, a) rec a. a{uj^,uj-^-, a, a) ii^^ = id^^,^ a.a{uj^,uj+,a,a) (2-11) 

k cj'|_ uj'_ rec a. a{uj'j^,uj'_,a, a) rec a. a{Li'_,{jj'j^, a, a) ii^^ = id^^^ a.a(i2'_^,i2' ,a,a) (2-12) 

k' uj'j^ rec a. cr(d;^, lj^, a, a) rec a. o"(tD'_, cj^, a, a) = id^-f,^ a.a{u' (2-13) 

as in the proof of Theorem 12.421 

The theorem will follow from instantiating the parametricity schema of k^k' with i?_ 
substituted for q, Rj^ substituted for /? and 5+ for u) and for w'. This tells us that if 

{i, i) : (T(i?_, S^, 5+) — o 5+ 
then (using (|2T0]1 - (I2T3] ) above) 

(^'^rec a.(T(a3+,a3_,Q,a); ^'^rec oi.a(uj'j^,iJj'_,a,ci)) ■ ^— o reC Ct. Cr(-R-(- , -R_ , Q?, Q?) 
(^'^rcc ) ^'^rec a.o'([3^ ,tij^,a,Q) ) • Q.. (j(^R— R^, O!, Cx) o 5+ 

which was what we needed to prove. 

For the general case, dropping the assumption that S- is admissible, the proof proceeds 
exactly as in Theorem 12.421 □ 



3. Conclusion 

We have presented the logic LAPL for reasoning about parametricity in the domain 
theoretic case, and we have shown how in this logic Plotkin's encodings of recursive types 
can be verified. In later papers we will present a general notion of model of LAPL, and 
show how various earlier suggested domain theoretic models of parametric polymorphism 
fit this general notion of model. These models include a model based on admissible pers 
over a reflexive domain |BMP05j . Rosolini and Simpson's construction in Synthetic Domain 
Theory [RS04] and a model based on the language Lily [BPROO] . 

In all these central point in verifying that these give rise to models of LAPL 

is to show that the various notions of admissible relations in the specific models satisfy 
the axioms for admissible relations presented in this paper. In the case of admissible pers 
the admissible relations are given by pointed chain complete subpers, in Synthetic Domain 
Theory the admissible relations are given by subdomain and in the case of Lily these are 
given by the TT-closed relations. Of course the axioms presented here have been constructed 
to be general enough to fit all these cases. 

As mentioned in the introduction, the logic LAPL can be seen as an axiomatization 
of a good category of domains. An interesting question is whether this is actually a useful 
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axiomatization, particularly because the solutions to recursive domain equations obtained 
using LAPL satisfy universal properties with respect to linear maps of PILLy, and most 
programming languages that one might want to model using domains do not correspond 
to linear calculi. A recent paper by the second author |M0gO6| provides evidence of the 
usefulness of LAPL by showing how models of it give rise to models of FPC — a simply 
typed lambda calculus with general recursive types first suggested by Plotkin |Plo85| (see 
also [F io96 ]) — and that these models model the expected reasoning principles for recursive 
types, reflecting a famous similar result in classical domain theory. 
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